Merge branch 'best_practice_policies' of github.com:nirmata/kyverno into best_practice_policies

2025-03-31 03:45:17 +00:00 · 2019-10-14 09:10:36 -07:00 · 2019-10-14 09:10:36 -07:00 · ece72ea090
commit ece72ea090
parent 66ae7367ba eb8bd71ac2
13 changed files with 364 additions and 3 deletions
--- a/pkg/api/kyverno/v1alpha1/utils.go
+++ b/pkg/api/kyverno/v1alpha1/utils.go
@ -82,3 +82,12 @@ func hasExistingAnchor(str string) (bool, string) {

 	return (str[:len(left)] == left && str[len(str)-len(right):] == right), str[len(left) : len(str)-len(right)]
 }
+
+func hasNegationAnchor(str string) (bool, string) {
+	left := "X("
+	right := ")"
+	if len(str) < len(left)+len(right) {
+		return false, str
+	}
+	return (str[:len(left)] == left && str[len(str)-len(right):] == right), str[len(left) : len(str)-len(right)]
+}
--- a/pkg/engine/anchor.go
+++ b/pkg/engine/anchor.go
@ -21,11 +21,41 @@ func CreateElementHandler(element string, pattern interface{}, path string) Vali
 		return NewExistanceHandler(element, pattern, path)
 	case isEqualityAnchor(element):
 		return NewEqualityHandler(element, pattern, path)
+	case isNegationAnchor(element):
+		return NewNegationHandler(element, pattern, path)
 	default:
 		return NewDefaultHandler(element, pattern, path)
 	}
 }

+func NewNegationHandler(anchor string, pattern interface{}, path string) ValidationHandler {
+	return NegationHandler{
+		anchor:  anchor,
+		pattern: pattern,
+		path:    path,
+	}
+}
+
+//NegationHandler provides handler for check if the tag in anchor is not defined
+type NegationHandler struct {
+	anchor  string
+	pattern interface{}
+	path    string
+}
+
+//Handle process negation handler
+func (nh NegationHandler) Handle(resourceMap map[string]interface{}, originPattern interface{}) (string, error) {
+	anchorKey := removeAnchor(nh.anchor)
+	currentPath := nh.path + anchorKey + "/"
+	// if anchor is present in the resource then fail
+	if _, ok := resourceMap[anchorKey]; ok {
+		// no need to process elements in value as key cannot be present in resource
+		return currentPath, fmt.Errorf("Validation rule failed at %s, field %s is disallowed", currentPath, anchorKey)
+	}
+	// key is not defined in the resource
+	return "", nil
+}
+
 func NewEqualityHandler(anchor string, pattern interface{}, path string) ValidationHandler {
 	return EqualityHandler{
 		anchor:  anchor,
@ -150,7 +180,7 @@ func (eh ExistanceHandler) Handle(resourceMap map[string]interface{}, originPatt
 		case []interface{}:
 			typedPattern, ok := eh.pattern.([]interface{})
 			if !ok {
-				return currentPath, fmt.Errorf("Invalid pattern type %T: Pattern has to be of lis to compare against resource", eh.pattern)
+				return currentPath, fmt.Errorf("Invalid pattern type %T: Pattern has to be of list to compare against resource", eh.pattern)
 			}
 			// get the first item in the pattern array
 			patternMap := typedPattern[0]
@ -187,7 +217,7 @@ func getAnchorsResourcesFromMap(patternMap map[string]interface{}) (map[string]i
 	anchors := map[string]interface{}{}
 	resources := map[string]interface{}{}
 	for key, value := range patternMap {
-		if isConditionAnchor(key) || isExistanceAnchor(key) || isEqualityAnchor(key) {
+		if isConditionAnchor(key) || isExistanceAnchor(key) || isEqualityAnchor(key) || isNegationAnchor(key) {
 			anchors[key] = value
 			continue
 		}
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@ -305,6 +305,16 @@ func isEqualityAnchor(str string) bool {
 	return (str[:len(left)] == left && str[len(str)-len(right):] == right)
 }

+func isNegationAnchor(str string) bool {
+	left := "X("
+	right := ")"
+	if len(str) < len(left)+len(right) {
+		return false
+	}
+	//TODO: trim spaces ?
+	return (str[:len(left)] == left && str[len(str)-len(right):] == right)
+}
+
 func isAddingAnchor(key string) bool {
 	const left = "+("
 	const right = ")"
@ -340,7 +350,7 @@ func removeAnchor(key string) string {
 		return key[1 : len(key)-1]
 	}

-	if isExistanceAnchor(key) || isAddingAnchor(key) || isEqualityAnchor(key) {
+	if isExistanceAnchor(key) || isAddingAnchor(key) || isEqualityAnchor(key) || isNegationAnchor(key) {
 		return key[2 : len(key)-1]
 	}

--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@ -2767,3 +2767,176 @@ func TestValidate_existenceAnchor_pass(t *testing.T) {
 	}
 	assert.Assert(t, er.IsSuccesful())
 }
+
+func TestValidate_negationAnchor_deny(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1alpha1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "validate-host-path"
+		},
+		"spec": {
+		  "rules": [
+			{
+			  "name": "validate-host-path",
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"Pod"
+				  ]
+				}
+			  },
+			  "validate": {
+				"message": "Host path is not allowed",
+				"pattern": {
+				  "spec": {
+					"volumes": [
+					  {
+						"name": "*",
+						"X(hostPath)": null
+					  }
+					]
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }	
+	 `)
+
+	rawResource := []byte(`
+	{
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+		   "name": "image-with-hostpath",
+		   "labels": {
+			  "app.type": "prod",
+			  "namespace": "my-namespace"
+		   }
+		},
+		"spec": {
+		   "containers": [
+			  {
+				 "name": "image-with-hostpath",
+				 "image": "docker.io/nautiker/curl",
+				 "volumeMounts": [
+					{
+					   "name": "var-lib-etcd",
+					   "mountPath": "/var/lib"
+					}
+				 ]
+			  }
+		   ],
+		   "volumes": [
+			  {
+				 "name": "var-lib-etcd",
+				 "hostPath": {
+					"path": "/var/lib1"
+				 }
+			  }
+		   ]
+		}
+	 }	 `)
+
+	var policy kyverno.ClusterPolicy
+	json.Unmarshal(rawPolicy, &policy)
+
+	resourceUnstructured, err := ConvertToUnstructured(rawResource)
+	assert.NilError(t, err)
+	er := Validate(policy, *resourceUnstructured)
+	msgs := []string{"Validation rule 'validate-host-path' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed"}
+
+	for index, r := range er.PolicyResponse.Rules {
+		assert.Equal(t, r.Message, msgs[index])
+	}
+	assert.Assert(t, !er.IsSuccesful())
+}
+
+func TestValidate_negationAnchor_pass(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1alpha1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "validate-host-path"
+		},
+		"spec": {
+		  "rules": [
+			{
+			  "name": "validate-host-path",
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"Pod"
+				  ]
+				}
+			  },
+			  "validate": {
+				"message": "Host path is not allowed",
+				"pattern": {
+				  "spec": {
+					"volumes": [
+					  {
+						"name": "*",
+						"X(hostPath)": null
+					  }
+					]
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }	
+	 `)
+
+	rawResource := []byte(`
+	{
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+		   "name": "image-with-hostpath",
+		   "labels": {
+			  "app.type": "prod",
+			  "namespace": "my-namespace"
+		   }
+		},
+		"spec": {
+		   "containers": [
+			  {
+				 "name": "image-with-hostpath",
+				 "image": "docker.io/nautiker/curl",
+				 "volumeMounts": [
+					{
+					   "name": "var-lib-etcd",
+					   "mountPath": "/var/lib"
+					}
+				 ]
+			  }
+		   ],
+		   "volumes": [
+			  {
+				 "name": "var-lib-etcd",
+				 "emptyDir": {}
+			  }
+		   ]
+		}
+	 }
+	 	 `)
+
+	var policy kyverno.ClusterPolicy
+	json.Unmarshal(rawPolicy, &policy)
+
+	resourceUnstructured, err := ConvertToUnstructured(rawResource)
+	assert.NilError(t, err)
+	er := Validate(policy, *resourceUnstructured)
+	msgs := []string{"Validation rule 'validate-host-path' succesfully validated"}
+
+	for index, r := range er.PolicyResponse.Rules {
+		assert.Equal(t, r.Message, msgs[index])
+	}
+	assert.Assert(t, er.IsSuccesful())
+}
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -64,6 +64,10 @@ func Test_validate_require_image_tag_not_latest_deny(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml")
 }

+func Test_validate_require_image_tag_not_latest_notag(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml")
+}
+
 func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
 }
@ -139,3 +143,11 @@ func Test_require_pod_requests_limits(t *testing.T) {
 func Test_require_probes(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_probes.yaml")
 }
+
+func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml")
+}
+
+func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml")
+}
--- a/samples/README.md
+++ b/samples/README.md
@ -33,6 +33,13 @@ Namespaces are a way to divide cluster resources between multiple users. When mu
 ***Policy YAML***: [disallow_default_namespace.yaml](best_practices/disallow_default_namespace.yaml) 


+## Disallow use of host filesystem
+
+Using the volume of type hostpath can easily lose data when a node crashes. Disable use of hostpath prevent data loss. 
+
+***Policy YAML***: [disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) 
+
+
 ## Disallow `hostNetwork` and `hostPort`

 Using `hostPort` and `hostNetwork` limits the number of nodes the pod can be scheduled on, as the pod is bound to the host thats its mapped to.
--- a/samples/best_practices/disallow_host_filesystem.yaml
+++ b/samples/best_practices/disallow_host_filesystem.yaml
@ -0,0 +1,17 @@
+apiVersion: "kyverno.io/v1alpha1"
+kind: "ClusterPolicy"
+metadata: 
+  name: "deny-use-of-host-fs"
+spec: 
+  rules: 
+  - name: "deny-use-of-host-fs"
+    match: 
+      resources: 
+        kinds: 
+        - "Pod"
+    validate: 
+      message: "Host path is not allowed"
+      pattern: 
+        spec: 
+          volumes: 
+          - X(hostPath): null
--- a/test/manifest/disallow_host_filesystem.yaml
+++ b/test/manifest/disallow_host_filesystem.yaml
@ -0,0 +1,18 @@
+apiVersion: "v1"
+kind: "Pod"
+metadata: 
+  name: "image-with-hostpath"
+  labels: 
+    app.type: "prod"
+    namespace: "my-namespace"
+spec: 
+  containers: 
+  - name: "image-with-hostpath"
+    image: "docker.io/nautiker/curl"
+    volumeMounts: 
+    - name: "var-lib-etcd"
+      mountPath: "/var/lib"
+  volumes: 
+  - name: "var-lib-etcd"
+    hostPath: 
+      path: "/var/lib"
--- a/test/manifest/disallow_host_filesystem_pass.yaml
+++ b/test/manifest/disallow_host_filesystem_pass.yaml
@ -0,0 +1,17 @@
+apiVersion: "v1"
+kind: "Pod"
+metadata: 
+  name: "image-with-hostpath"
+  labels: 
+    app.type: "prod"
+    namespace: "my-namespace"
+spec: 
+  containers: 
+  - name: "image-with-hostpath"
+    image: "docker.io/nautiker/curl"
+    volumeMounts: 
+    - name: "var-lib-etcd"
+      mountPath: "/var/lib"
+  volumes: 
+  - name: "var-lib-etcd"
+    emptyDir: {}
--- a/test/manifest/require_image_tag_not_latest_notag.yaml
+++ b/test/manifest/require_image_tag_not_latest_notag.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec: 
+  containers:
+  - name: nginx
+    image: nginx
--- a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml
+++ b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml
@ -0,0 +1,22 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/require_image_tag_not_latest.yaml
+  resource: test/manifest/require_image_tag_not_latest_notag.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: validate-image-tag
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: image-tag-notspecified
+          type: Validation
+          message: Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag not specified
+          success: false
+        - name: image-tag-not-latest
+          type: Validation
+          message: Validation rule 'image-tag-not-latest' succesfully validated
+          success: true   
--- a/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml
+++ b/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml
@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_host_filesystem.yaml
+  resource: test/manifest/disallow_host_filesystem.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: deny-use-of-host-fs
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: image-with-hostpath
+      rules:
+        - name: deny-use-of-host-fs
+          type: Validation
+          message: Validation rule 'deny-use-of-host-fs' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed
+          success: false
--- a/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml
+++ b/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml
@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_host_filesystem.yaml
+  resource: test/manifest/disallow_host_filesystem_pass.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: deny-use-of-host-fs
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: image-with-hostpath
+      rules:
+        - name: deny-use-of-host-fs
+          type: Validation
+          message: Validation rule 'deny-use-of-host-fs' succesfully validated
+          success: true