Merge branch 'best_practice_policies' of https://github.com/nirmata/kyverno into best_practice_policies

# Conflicts:
#	examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
#	examples/best_practices/policy_validate_container_security_context.yaml
#	examples/best_practices/validate_container_security_context.yaml

examples/best_practices/README.md

@@ -1,23 +1,21 @@
 # Best Practice Policies
 
-This folder contains recommended policies
-
 | Best practice                                  | Policy
-|------------------------------------------------|-----------------------------------------------------------------------|-
-| Run as non-root user                           | 
-| Disallow privileged and privilege escalation   |
-| Disallow use of host networking and ports      |
-| Disallow use of host filesystem                |
-| Disallow hostPOD and hostIPC                   |
-| Require read only root filesystem              |
-| Disallow node ports                            |
-| Allow trusted registries                       |
-| Require resource requests and limits           | [container_resources.yaml](container_resources.yaml)
-| Require pod liveness and readiness probes      |
-| Require an image tag                           |
-| Disallow latest tag and pull IfNotPresent      |
-| Require a namespace (disallow default)         |
-| Disallow use of kube-system namespace          |
-| Prevent mounting of service account secret     |
-| Require a default network policy               |
-| Require namespace quotas and limit ranges      |
+|------------------------------------------------|-----------------------------------------------------------------------|
+| Run as non-root user                           | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml)                                                                           |
+| Disallow privileged and privilege escalation   | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml)             |
+| Disallow use of host networking and ports      |  [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml)                                                                            |
+| Disallow use of host filesystem                |  [policy_validate_host_path.yaml](policy_validate_host_path.yaml)                                                                                            |
+| Disallow hostPOD and hostIPC                   |                                                                       |
+| Require read only root filesystem              |                                                                       |
+| Disallow node ports                            |                                                                                                                  |
+| Allow trusted registries                       | [policy_validate_image_registries.yaml](policy_validate_image_registries.yaml)                                                                               |
+| Require resource requests and limits           | [policy_validate_pod_resources.yaml](policy_validate_pod_resources.yaml)                                                                                     |
+| Require pod liveness and readiness probes      | [policy_validate_pod_probes.yaml](policy_validate_pod_probes.yaml)                                                                                           |
+| Require an image tag                           | [policy_validate_image_tag_notspecified_deny.yaml](policy_validate_image_tag_notspecified_deny.yaml)                                                         |
+| Disallow latest tag and pull IfNotPresent      | [policy_validate_image_latest_ifnotpresent_deny.yaml](policy_validate_image_latest_ifnotpresent_deny.yaml)                                                   |
+| Require a namespace (disallow default)         |                                                                       |
+| Disallow use of kube-system namespace          |                                                                       |
+| Prevent mounting of service account secret     |                                                                       |
+| Require a default network policy               |                                                                       |
+| Require namespace quotas and limit ranges      |                                                                       |

examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml

@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-deny-privileged-disallowpriviligedescalation
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: deny-privileged-disallowpriviligedescalation
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
+      anyPattern:
+      - spec:
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+      # pattern:
+      #   spec:
+      #     containers:
+      #     - name: "*"
+      #       securityContext:
+      #         allowPrivilegeEscalation: false
+      #         privileged: false    

examples/best_practices/policy_validate_container_security_context.yaml

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: check-container-security-context
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-root-user
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Root user is not allowed. Set runAsNonRoot to true."
-      anyPattern:
-      - spec:
-          securityContext:
-            runAsNonRoot: true
-  - name: check-privilege
-    exclude:
-      resources:
-        namespaces: 
-        - kube-system
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
-      pattern:
-        spec:
-          containers:
-          - name: "*"
-            securityContext:
-              allowPrivilegeEscalation: false
-              privileged: false

examples/best_practices/policy_validate_deny_runasrootuser.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-deny-runasrootuser
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: deny-runasrootuser
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Root user is not allowed. Set runAsNonRoot to true."
+      anyPattern:
+      - spec:
+          securityContext:
+            runAsNonRoot: true
+      # pattern:
+      #   spec:
+      #     containers:
+      #     - name: "*"
+      #       securityContext:
+      #         runAsNonRoot: true

examples/best_practices/resources/resource_validate_container_security_context.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: check-container-security-context
-spec:
-  securityContext:
-    runAsNonRoot: true
-  containers:
-  - name: check-container-security-context
-    image: nginxinc/nginx-unprivileged
-    securityContext:
-      allowPrivilegeEscalation: true
-      privileged: false

examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: check-root-user
+spec:
+  securityContext:
+    runAsNonRoot: true
+  containers:
+  - name: check-root-user
+    image: nginxinc/nginx-unprivileged
+    # securityContext:
+    #   allowPrivilegeEscalation: true
+    #   privileged: false

examples/best_practices/validate_image_tag.yaml

@@ -1,34 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    kyverno.io/category: images
-    kyverno.io/description: |
-      ......
-  name: validate-image
-spec:
-  rules:
-  - name: validate-tag
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "An image tag is required"    
-      pattern:
-        spec:
-          containers:
-          - image: "*:*"  
-  - name: validate-latest
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "imagePullPolicy 'Always' required with tag 'latest'"    
-      pattern:
-        spec:
-          containers:
-          - (image): "*latest"
-            imagePullPolicy: Always
-

examples/best_practices/validate_pod_probes.yaml

@@ -1,25 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: validate-probes
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-probes
-    match:
-      resources:
-        kinds:
-        - Pod
-    # exclude:
-    #   namespaces:
-    #     - kube-system
-    validate:
-      message: "Liveness and readiness probes are required"
-      pattern:
-        spec:
-          containers:
-            livenessProbe:
-              periodSeconds: ">0"      
-            readinessProbe:
-              periodSeconds: ">0"
-

examples/best_practices/validate_pod_resources.yaml

@@ -1,25 +0,0 @@
-apiVersion: kyverno.io/v1alpha1
-kind: ClusterPolicy
-metadata:
-  name: check-resources
-spec:
-  validationFailureAction: "audit"
-  rules:
-  - name: check-pod-resources
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "CPU and memory resource requests and limits are required"
-      pattern:
-        spec:
-          containers:
-          - name: "*"
-            resources:
-              requests:
-                memory: "?*"
-                cpu: "?*"
-              limits:
-                memory: "?*"
-                cpu: "?*"

examples/resources/resource_validate_nonRootUser.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sec-ctx-unprivileged
+spec:
+  # securityContext:
+  #   runAsNonRoot: true
+  containers:
+  - name: imagen-with-hostpath
+    image: nginxinc/nginx-unprivileged

pkg/testrunner/testrunner_test.go

@@ -18,8 +18,8 @@ func Test_validate_containerSecurityContext(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml")
 }
 
-func Test_validate_checkContainerSecurityContext(t *testing.T) {
-	testScenario(t, "/test/scenarios/test/scenario_validate_container_security_context.yaml")
+func Test_validate_deny_runasrootuser(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_deny_runasrootuser.yaml.yaml")
 }
 
 func Test_validate_healthChecks(t *testing.T) {

test/scenarios/test/scenario_generate_networkPolicy.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_generate_networkPolicy.yaml
-  resource: examples/resource_generate_networkPolicy.yaml
+  resource: examples/resources/resource_generate_networkPolicy.yaml
 expected:
   generation:
     generatedResources:

test/scenarios/test/scenario_mutate_endPpoint.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_mutate_endpoint.yaml
-  resource: examples/resource_mutate_endpoint.yaml
+  resource: examples/resources/resource_mutate_endpoint.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_endpoint.yaml

test/scenarios/test/scenario_mutate_imagePullPolicy.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_mutate_imagePullPolicy.yaml
-  resource: examples/resource_mutate_imagePullPolicy.yaml
+  resource: examples/resources/resource_mutate_imagePullPolicy.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_imagePullPolicy.yaml

test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
-  resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml
+  resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml

test/scenarios/test/scenario_mutate_validate_qos.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_mutate_validate_qos.yaml
-  resource: examples/resource_mutate_validate_qos.yaml
+  resource: examples/resources/resource_mutate_validate_qos.yaml
 expected:
   mutation:
     patchedresource: test/output/output_mutate_validate_qos.yaml

test/scenarios/test/scenario_validate_containerSecurityContext.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_validate_containerSecurityContext.yaml
-  resource: examples/resource_validate_containerSecurityContext.yaml
+  resource: examples/resources/resource_validate_containerSecurityContext.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_container_security_context.yaml

@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
-  policy: examples/best_practices/policy_validate_container_security_context.yaml
-  resource: examples/best_practices/resources/resource_validate_container_security_context.yaml
-expected:
-  validation:
-    policyresponse:
-      policy: check-container-security-context
-      resource:
-        kind: Pod
-        apiVersion: v1
-        namespace: ''
-        name: check-container-security-context
-      rules:
-        - name: check-root-user
-          type: Validation
-          message: "Validation rule 'check-root-user' anyPattern[0] succesfully validated"
-          success: true
-        - name: check-privilege
-          type: Validation
-          message: "Validation rule 'check-privilege' failed at '/spec/containers/0/securityContext/allowPrivilegeEscalation/' for resource Pod//check-container-security-context. Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
-          success: false

test/scenarios/test/scenario_validate_deny_runasrootuser.yaml.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml
+  resource: examples/best_practices/resources/resource_validate_deny_runasrootuser.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-deny-runasrootuser
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: check-root-user
+      rules:
+        - name: deny-runasrootuser
+          type: Validation
+          message: "Validation rule 'deny-runasrootuser' anyPattern[0] succesfully validated"
+          success: true

test/scenarios/test/scenario_validate_healthChecks.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_validate_healthChecks.yaml
-  resource: examples/resource_validate_healthChecks.yaml
+  resource: examples/resources/resource_validate_healthChecks.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_imageRegistries.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/policy_validate_imageRegistries.yaml
-  resource: examples/resource_validate_imageRegistries.yaml
+  resource: examples/resources/resource_validate_imageRegistries.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
-  resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_deny.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
-  resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_latest_ifnotpresent_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
-  resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_deny.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
-  resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_pullpolicy_notalways_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_latest_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_deny.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
   policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
-  resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml
+  resource: examples/best_practices/resources/resource_validate_image_tag_notspecified_pass.yaml
 expected:
   validation:
     policyresponse:

test/scenarios/test/scenario_validate_nonRootUser.yaml

@@ -1,18 +1,18 @@
 # file path relative to project root
 input:
-  policy: examples/policy_validate_nonRootUser.yaml
-  resource: examples/resource_validate_nonRootUser.yaml
+  policy: examples/best_practices/policy_validate_deny_runasrootuser.yaml
+  resource: examples/best_practices/resources/resource_validate_nonRootUser.yaml
 expected:
   validation:
     policyresponse:
-      policy: check-container-security-context
+      policy: validate-deny-runasrootuser
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
         name: sec-ctx-unprivileged
       rules:
-        - name: check-root-user
+        - name: deny-runasrootuser
           type: Validation
-          message: Validation rule 'check-root-user' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/
+          message: Validation rule 'deny-runasrootuser' failed to validate patterns defined in anyPattern. Root user is not allowed. Set runAsNonRoot to true.; anyPattern[0] failed at path /spec/securityContext/
           success: false