mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update testrunner for examples/best_practices/policy_validate_container_security_context.yaml

Browse source
This commit is contained in:
Shuting Zhao 2019-09-06 18:54:19 -07:00
parent bc087d7918
commit b667c47587
4 changed files with 46 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
examples/best_practices/validate_container_security_context.yaml → examples/best_practices/policy_validate_container_security_context.yaml
View file

@ -20,12 +20,6 @@ spec:
- spec: - spec:
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
# pattern:
# spec:
# containers:
# - name: "*"
# securityContext:
# runAsNonRoot: true
- name: check-privilege - name: check-privilege
exclude: exclude:
resources: resources:
@ -37,15 +31,10 @@ spec:
- Pod - Pod
validate: validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false" message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
anyPattern: pattern:
- spec: spec:
securityContext: containers:
allowPrivilegeEscalation: false - name: "*"
privileged: false securityContext:
# pattern: allowPrivilegeEscalation: false
# spec: privileged: false
# containers:
# - name: "*"
# securityContext:
# allowPrivilegeEscalation: false
# privileged: false

13
examples/best_practices/resources/resource_validate_container_security_context.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: check-container-security-context
spec:
securityContext:
runAsNonRoot: true
containers:
- name: check-container-security-context
image: nginxinc/nginx-unprivileged
securityContext:
allowPrivilegeEscalation: true
privileged: false

4
pkg/testrunner/testrunner_test.go
View file

@ -18,6 +18,10 @@ func Test_validate_containerSecurityContext(t *testing.T) {
testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml") testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml")
} }
func Test_validate_checkContainerSecurityContext(t *testing.T) {
testScenario(t, "/test/scenarios/test/scenario_validate_container_security_context.yaml")
}
func Test_validate_healthChecks(t *testing.T) { func Test_validate_healthChecks(t *testing.T) {
testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml") testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml")
} }

22
test/scenarios/test/scenario_validate_container_security_context.yaml Normal file
View file

@ -0,0 +1,22 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_container_security_context.yaml
resource: examples/best_practices/resources/resource_validate_container_security_context.yaml
expected:
validation:
policyresponse:
policy: check-container-security-context
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: check-container-security-context
rules:
- name: check-root-user
type: Validation
message: "Validation rule 'check-root-user' anyPattern[0] succesfully validated"
success: true
- name: check-privilege
type: Validation
message: "Validation rule 'check-privilege' failed at '/spec/containers/0/securityContext/allowPrivilegeEscalation/' for resource Pod//check-container-security-context. Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
success: false