From ce7e570268e797c9e5c5f28602fbe25d54ddf47d Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Fri, 2 Aug 2024 17:12:42 +0300
Subject: [PATCH] fix: set all operations by default in the generated VAP
(#10100)
* fix: set all operations by default in the generated VAP
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
* fix chainsaw test
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---------
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
pkg/validatingadmissionpolicy/builder.go | 2 +
.../block-ephemeral-containers/policy.yaml | 3 ++
.../block-exec-in-pods/chainsaw-test.yaml | 40 +++++++++++++++++++
.../generate/block-exec-in-pods/ns.yaml | 4 ++
.../block-exec-in-pods/policy-assert.yaml | 10 +++++
.../generate/block-exec-in-pods/policy.yaml | 22 ++++++++++
.../validatingadmissionpolicy.yaml | 32 +++++++++++++++
.../validatingadmissionpolicybinding.yaml | 14 +++++++
.../policy.yaml | 3 ++
.../policy.yaml | 3 ++
.../chainsaw-test.yaml | 2 +-
.../validatingadmissionpolicy.yaml | 2 +
12 files changed, 136 insertions(+), 1 deletion(-)
create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/ns.yaml
create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy-assert.yaml
create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml
create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go
index 8ae2e5b4c4..0db222233f 100644
--- a/pkg/validatingadmissionpolicy/builder.go
+++ b/pkg/validatingadmissionpolicy/builder.go
@@ -295,6 +295,8 @@ func translateOperations(operations []string) []admissionregistrationv1.Operatio
if len(vapOperations) == 0 {
vapOperations = append(vapOperations, admissionregistrationv1.Create)
vapOperations = append(vapOperations, admissionregistrationv1.Update)
+ vapOperations = append(vapOperations, admissionregistrationv1.Connect)
+ vapOperations = append(vapOperations, admissionregistrationv1.Delete)
}
return vapOperations
}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml
index 5c8e75ecdd..c5b4a5dcf9 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml
@@ -12,6 +12,9 @@ spec:
- resources:
kinds:
- Pod
+ operations:
+ - CREATE
+ - UPDATE
validate:
cel:
expressions:
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
new file mode 100755
index 0000000000..81a3744572
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
@@ -0,0 +1,40 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ creationTimestamp: null
+ name: block-exec-in-pods
+spec:
+ steps:
+ - name: step-01
+ try:
+ - apply:
+ file: ns.yaml
+ - name: step-02
+ try:
+ - script:
+ content: kubectl run my-pod --image nginx -n pci
+ - name: step-03
+ try:
+ - apply:
+ file: policy.yaml
+ - assert:
+ file: policy-assert.yaml
+ - name: step-04
+ try:
+ - assert:
+ file: validatingadmissionpolicy.yaml
+ - assert:
+ file: validatingadmissionpolicybinding.yaml
+ - name: step-05
+ try:
+ - sleep:
+ duration: 3s
+ - name: step-06
+ try:
+ - script:
+ content: kubectl exec my-pod -n pci -- ls
+ check:
+ ($error != null): true
+ # This check ensures the contents of stderr are exactly as shown.
+ (trim_space($stderr)): |-
+ The pods "my-pod" is invalid: : ValidatingAdmissionPolicy 'deny-exec-by-namespace-name' with binding 'deny-exec-by-namespace-name-binding' denied request: Pods in this namespace may not be exec'd into.
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/ns.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/ns.yaml
new file mode 100644
index 0000000000..9db0c1f7b1
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: pci
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy-assert.yaml
new file mode 100644
index 0000000000..b8c57dccac
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: deny-exec-by-namespace-name
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
+
\ No newline at end of file
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml
new file mode 100644
index 0000000000..d0360162b3
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: deny-exec-by-namespace-name
+spec:
+ validationFailureAction: Enforce
+ background: false
+ rules:
+ - name: deny-exec-ns-pci
+ match:
+ any:
+ - resources:
+ kinds:
+ - Pod/exec
+ celPreconditions:
+ - name: "operation-should-be-connect"
+ expression: "request.operation == 'CONNECT'"
+ validate:
+ cel:
+ expressions:
+ - expression: "request.namespace != 'pci'"
+ message: Pods in this namespace may not be exec'd into.
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..ba65372563
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
@@ -0,0 +1,32 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: kyverno
+ name: deny-exec-by-namespace-name
+ ownerReferences:
+ - apiVersion: kyverno.io/v1
+ kind: ClusterPolicy
+ name: deny-exec-by-namespace-name
+spec:
+ failurePolicy: Fail
+ matchConditions:
+ - expression: request.operation == 'CONNECT'
+ name: operation-should-be-connect
+ matchConstraints:
+ resourceRules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ - CONNECT
+ - DELETE
+ resources:
+ - pods/exec
+ scope: '*'
+ validations:
+ - expression: request.namespace != 'pci'
+ message: Pods in this namespace may not be exec'd into.
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
new file mode 100644
index 0000000000..c383a3352d
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: kyverno
+ name: deny-exec-by-namespace-name-binding
+ ownerReferences:
+ - apiVersion: kyverno.io/v1
+ kind: ClusterPolicy
+ name: deny-exec-by-namespace-name
+spec:
+ policyName: deny-exec-by-namespace-name
+ validationActions:
+ - Deny
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml
index 3d20b85f79..19387d48fb 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml
@@ -21,6 +21,9 @@ spec:
namespaces:
- testing-ns
- staging-ns
+ operations:
+ - CREATE
+ - UPDATE
validate:
cel:
expressions:
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml
index cb3ffa2a32..bd9e09e469 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml
@@ -14,6 +14,9 @@ spec:
- Deployment
names:
- "staging"
+ operations:
+ - CREATE
+ - UPDATE
validate:
cel:
expressions:
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml
index 46411c7d3f..72c489a06a 100755
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml
@@ -2,7 +2,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
- name: cpol-match-kind-with-wildcard
+ name: cpol-match-all-exclude-one
spec:
steps:
- name: step-01
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
index eb3a306bfc..577797a382 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
@@ -26,6 +26,8 @@ spec:
operations:
- CREATE
- UPDATE
+ - CONNECT
+ - DELETE
resources:
- '*'
validations: