fix: add pods/ephemeralcontainers to the generated VAPs (#10162)

* fix: add pods/ephemeralcontainers to the generated VAPs

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: remove an extra space

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

pkg/validatingadmissionpolicy/builder.go

@@ -142,6 +142,13 @@ func constructValidatingAdmissionPolicyRules(discoveryClient dclient.IDiscovery,
 		}
 
 		for topLevelApi, apiResource := range gvrss {
+			var resources []string
+			resources = append(resources, apiResource.Name)
+			// if we have pods, we add pods/ephemeralcontainers by default
+			if apiResource.Name == "pods" {
+				resources = append(resources, "pods/ephemeralcontainers")
+			}
+
 			isNewRule := true
 			// If there's a rule that contains both group and version, then the resource is appended to the existing rule instead of creating a new one.
 			// Example:  apiGroups:   ["apps"]
@@ -150,7 +157,7 @@ func constructValidatingAdmissionPolicyRules(discoveryClient dclient.IDiscovery,
 			// Otherwise, a new rule is created.
 			for i := range *rules {
 				if slices.Contains((*rules)[i].APIGroups, topLevelApi.Group) && slices.Contains((*rules)[i].APIVersions, topLevelApi.Version) {
-					(*rules)[i].Resources = append((*rules)[i].Resources, apiResource.Name)
+					(*rules)[i].Resources = append((*rules)[i].Resources, resources...)
 					isNewRule = false
 					break
 				}
@@ -159,7 +166,7 @@ func constructValidatingAdmissionPolicyRules(discoveryClient dclient.IDiscovery,
 				r := admissionregistrationv1alpha1.NamedRuleWithOperations{
 					RuleWithOperations: admissionregistrationv1.RuleWithOperations{
 						Rule: admissionregistrationv1.Rule{
-							Resources:   []string{apiResource.Name},
+							Resources:   resources,
 							APIGroups:   []string{topLevelApi.Group},
 							APIVersions: []string{topLevelApi.Version},
 						},

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/README.md

@@ -0,0 +1,7 @@
+## Description
+
+This is a corner case test to ensure that "pods/ephemeralcontainers" are added in the match block of the ValidatingAdmissionPolicy.
+
+## Expected Behavior
+
+The test should pass if the "pods/ephemeralcontainers" are added in the match block of the ValidatingAdmissionPolicy. If not, the test fails. Moreover, a Pod is created and the policy should block the use of ephemeral containers.

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/chainsaw-test.yaml

@@ -0,0 +1,27 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: block-ephemeral-containers
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - assert:
+        file: validatingadmissionpolicy.yaml
+    - assert:
+        file: validatingadmissionpolicybinding.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: pod.yaml
+  - name: step-04
+    try:
+    - script:
+        content: if kubectl debug -it test-pod --image=busybox:1.35 --target=busybox; then exit 1; else exit 0; fi;

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: ["sleep", "300"]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-ephemeral-containers
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-ephemeral-containers
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+  - name: block-ephemeral-containers
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+    validate:
+      cel:
+        expressions:
+          - expression: "!has(object.spec.ephemeralContainers)"
+            message: "Ephemeral (debug) containers are not permitted."

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml

@@ -0,0 +1,27 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: block-ephemeral-containers
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: block-ephemeral-containers
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - ""
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - pods
+      - pods/ephemeralcontainers
+  validations:
+  - expression: '!has(object.spec.ephemeralContainers)'
+    message: Ephemeral (debug) containers are not permitted.

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: block-ephemeral-containers-binding
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: block-ephemeral-containers
+spec:
+  policyName: block-ephemeral-containers
+  validationActions:
+  - Deny