From c80f9e0f9d7027f6d2962ca41391a3f237981c6f Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Mon, 7 Oct 2019 11:21:14 -0700 Subject: [PATCH] best_practice: sysctl --- .../policy_validate_disallow_sysctl.yaml | 20 +++++++++++++++++++ .../resources/resource_disallow_sysctl.yaml | 16 +++++++++++++++ pkg/testrunner/testrunner_test.go | 4 ++++ .../scenario_validate_disallow_sysctl.yaml | 19 ++++++++++++++++++ 4 files changed, 59 insertions(+) create mode 100644 examples/best_practices/policy_validate_disallow_sysctl.yaml create mode 100644 examples/best_practices/resources/resource_disallow_sysctl.yaml create mode 100644 test/scenarios/test/scenario_validate_disallow_sysctl.yaml diff --git a/examples/best_practices/policy_validate_disallow_sysctl.yaml b/examples/best_practices/policy_validate_disallow_sysctl.yaml new file mode 100644 index 0000000000..0e0dfb7cb9 --- /dev/null +++ b/examples/best_practices/policy_validate_disallow_sysctl.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-allow-portrange-with-sysctl +spec: + validationFailureAction: "audit" + rules: + - name: allow-portrange-with-sysctl + match: + resources: + kinds: + - Pod + validate: + message: "Allowed port range is from 1024 to 65535" + pattern: + spec: + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "1024 65535" diff --git a/examples/best_practices/resources/resource_disallow_sysctl.yaml b/examples/best_practices/resources/resource_disallow_sysctl.yaml new file mode 100644 index 0000000000..15e5464038 --- /dev/null +++ b/examples/best_practices/resources/resource_disallow_sysctl.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + name: nginx +spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "50 65535" \ No newline at end of file diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 62874cc970..07dde46266 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -127,3 +127,7 @@ func Test_validate_proc_mount(t *testing.T) { func Test_validate_container_capabilities(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_container_capabilities.yaml") } + +func Test_validate_disallow_sysctl(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_disallow_sysctl.yaml") +} diff --git a/test/scenarios/test/scenario_validate_disallow_sysctl.yaml b/test/scenarios/test/scenario_validate_disallow_sysctl.yaml new file mode 100644 index 0000000000..8b22077e7a --- /dev/null +++ b/test/scenarios/test/scenario_validate_disallow_sysctl.yaml @@ -0,0 +1,19 @@ + +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_disallow_sysctl.yaml + resource: examples/best_practices/resources/resource_disallow_sysctl.yaml +expected: + validation: + policyresponse: + policy: validate-allow-portrange-with-sysctl + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: nginx + rules: + - name: allow-portrange-with-sysctl + type: Validation + message: "Validation rule 'allow-portrange-with-sysctl' failed at '/spec/securityContext/sysctls/0/value/' for resource Pod//nginx. Allowed port range is from 1024 to 65535" + success: false \ No newline at end of file