mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 18:38:40 +00:00
fix: remove duplicate chainsaw tests for PSA (#9835)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
283616ff63
commit
d8d6d89856
110 changed files with 0 additions and 2317 deletions
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Capabilities` PSS check.
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- bar
|
||||
- baz
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-capabilities
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- CHOWN
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- FOWNER
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-capabilities
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-capabilities
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-capabilities
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Capabilities"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.capabilities.add"
|
||||
values:
|
||||
- "foo"
|
||||
- controlName: "Capabilities"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.capabilities.add"
|
||||
values:
|
||||
- "baz"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Namespaces` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Namespaces` PSS check.
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-host-namespaces
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
hostNetwork: false
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-host-namespaces
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-host-namespaces
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-host-namespaces
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Host Namespaces"
|
||||
restrictedField: "spec.hostNetwork"
|
||||
values:
|
||||
- "true"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Ports` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Ports` PSS check.
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
ports:
|
||||
- hostPort: 20
|
||||
containerPort: 80
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
ports:
|
||||
- hostPort: 20
|
||||
containerPort: 80
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-host-ports
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
ports:
|
||||
- hostPort: 10
|
||||
containerPort: 80
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
ports:
|
||||
- hostPort: 20
|
||||
containerPort: 80
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
ports:
|
||||
- hostPort: 0
|
||||
containerPort: 80
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
ports:
|
||||
- hostPort: 0
|
||||
containerPort: 80
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-host-ports
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-host-ports
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-host-ports
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Host Ports"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].ports[*].hostPort"
|
||||
values:
|
||||
- "10"
|
||||
- controlName: "Host Ports"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].ports[*].hostPort"
|
||||
values:
|
||||
- "20"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostPath Volumes` PSS check.
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-hostpath-volume
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
volumes:
|
||||
- name: host
|
||||
hostPath:
|
||||
path: /var/lib1
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-hostpath-volumes
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-hostpath-volumes
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-hostpath-volumes
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "HostPath Volumes"
|
||||
restrictedField: "spec.volumes[*].hostPath"
|
||||
values:
|
||||
- "path"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostProcesses` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `HostProcesses` PSS check.
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-hostprocesses
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
hostNetwork: true
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: false
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: false
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: false
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-hostprocess
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-hostprocess
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-hostprocess
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Host Namespaces"
|
||||
restrictedField: "spec.hostNetwork"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "HostProcess"
|
||||
restrictedField: "spec.securityContext.windowsOptions.hostProcess"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "HostProcess"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.windowsOptions.hostProcess"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "HostProcess"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.windowsOptions.hostProcess"
|
||||
values:
|
||||
- "true"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Privilege Escalation` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Privilege Escalation` PSS check.
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-privilege-escalation
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-privilege-escalation
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-privilege-escalation
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-privilege-escalation
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Privilege Escalation"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "Privilege Escalation"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation"
|
||||
values:
|
||||
- "true"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Privileged Containers` PSS check.
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-privileged-containers
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
privileged: false
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: false
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-privileged-containers
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-privileged-containers
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-privileged-containers
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Privileged Containers"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.privileged"
|
||||
values:
|
||||
- "true"
|
||||
- controlName: "Privileged Containers"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.privileged"
|
||||
values:
|
||||
- "true"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `/proc MountType` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `/proc MountType` PSS check.
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
procMount: unknown
|
||||
initContainers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
procMount: other
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-procmount
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
procMount: foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
procMount: bar
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
procMount: default
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
procMount: default
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-procmount
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-procmount
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-procmount
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "/proc Mount Type"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.procMount"
|
||||
values:
|
||||
- "foo"
|
||||
- controlName: "/proc Mount Type"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.procMount"
|
||||
values:
|
||||
- "bar"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Capabilities` PSS check.
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- bar
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-restricted-capabilities
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- baz
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-restricted-capabilities
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-restricted-capabilities
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-restricted-capabilities
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Capabilities"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.capabilities.add"
|
||||
values:
|
||||
- "foo"
|
||||
- controlName: "Capabilities"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.capabilities.add"
|
||||
values:
|
||||
- "baz"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Seccomp` PSS check.
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: foo
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: baz
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Localhost
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-restricted-seccomp
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-restricted-seccomp
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-restricted-seccomp
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-restricted-seccomp
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Seccomp"
|
||||
restrictedField: "spec.securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
- controlName: "Seccomp"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
- controlName: "Seccomp"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root User` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root User` PSS check.
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-running-as-nonroot-user
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 10
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-running-as-non-root-user
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-running-as-non-root-user
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-running-as-non-root-user
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Running as Non-root user"
|
||||
restrictedField: "spec.securityContext.runAsUser"
|
||||
values:
|
||||
- "0"
|
||||
- controlName: "Running as Non-root user"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.runAsUser"
|
||||
values:
|
||||
- "0"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root` PSS check.
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-running-as-nonroot
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
runAsNonRoot: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-running-as-non-root
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-running-as-non-root
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-running-as-non-root
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Running as Non-root"
|
||||
restrictedField: "spec.securityContext.runAsNonRoot"
|
||||
values:
|
||||
- "false"
|
||||
- controlName: "Running as Non-root"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.runAsNonRoot"
|
||||
values:
|
||||
- "false"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Seccomp` PSS check.
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: foo
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: baz
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Localhost
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-seccomp
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-seccomp
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-seccomp
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-seccomp
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "Seccomp"
|
||||
restrictedField: "spec.securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
- controlName: "Seccomp"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
- controlName: "Seccomp"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type"
|
||||
values:
|
||||
- "Unconfined"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `SELinux` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `SELinux` PSS check.
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-selinux
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: foo
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: bar
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: good-pod
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx1
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: container_t
|
||||
initContainers:
|
||||
- name: nginx2
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: container_init_t
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-selinux
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-exclusion-selinux
|
||||
spec:
|
||||
background: true
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: test-exclusion-selinux
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: baseline
|
||||
version: latest
|
||||
exclude:
|
||||
- controlName: "SELinux"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.containers[*].securityContext.seLinuxOptions.type"
|
||||
values:
|
||||
- "foo"
|
||||
- controlName: "SELinux"
|
||||
images:
|
||||
- nginx
|
||||
restrictedField: "spec.initContainers[*].securityContext.seLinuxOptions.type"
|
||||
values:
|
||||
- "bar"
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
## Description
|
||||
|
||||
This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Sysctls` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Sysctls` PSS check.
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: bad-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
sysctls:
|
||||
- name: unknown
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: test-exclusion-sysctls
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: bad-pod.yaml
|
||||
- apply:
|
||||
file: excluded-pod.yaml
|
||||
- apply:
|
||||
file: good-pod.yaml
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: excluded-pod
|
||||
namespace: default
|
||||
spec:
|
||||
securityContext:
|
||||
sysctls:
|
||||
- name: fake.value
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
args:
|
||||
- sleep
|
||||
- 1d
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue