diff --git a/pkg/api/kyverno/v1alpha1/utils.go b/pkg/api/kyverno/v1alpha1/utils.go index 4c9ef69c7a..52829f360d 100644 --- a/pkg/api/kyverno/v1alpha1/utils.go +++ b/pkg/api/kyverno/v1alpha1/utils.go @@ -82,3 +82,12 @@ func hasExistingAnchor(str string) (bool, string) { return (str[:len(left)] == left && str[len(str)-len(right):] == right), str[len(left) : len(str)-len(right)] } + +func hasNegationAnchor(str string) (bool, string) { + left := "X(" + right := ")" + if len(str) < len(left)+len(right) { + return false, str + } + return (str[:len(left)] == left && str[len(str)-len(right):] == right), str[len(left) : len(str)-len(right)] +} diff --git a/pkg/engine/anchor.go b/pkg/engine/anchor.go index 61472083db..e3d604007a 100644 --- a/pkg/engine/anchor.go +++ b/pkg/engine/anchor.go @@ -21,11 +21,41 @@ func CreateElementHandler(element string, pattern interface{}, path string) Vali return NewExistanceHandler(element, pattern, path) case isEqualityAnchor(element): return NewEqualityHandler(element, pattern, path) + case isNegationAnchor(element): + return NewNegationHandler(element, pattern, path) default: return NewDefaultHandler(element, pattern, path) } } +func NewNegationHandler(anchor string, pattern interface{}, path string) ValidationHandler { + return NegationHandler{ + anchor: anchor, + pattern: pattern, + path: path, + } +} + +//NegationHandler provides handler for check if the tag in anchor is not defined +type NegationHandler struct { + anchor string + pattern interface{} + path string +} + +//Handle process negation handler +func (nh NegationHandler) Handle(resourceMap map[string]interface{}, originPattern interface{}) (string, error) { + anchorKey := removeAnchor(nh.anchor) + currentPath := nh.path + anchorKey + "/" + // if anchor is present in the resource then fail + if _, ok := resourceMap[anchorKey]; ok { + // no need to process elements in value as key cannot be present in resource + return currentPath, fmt.Errorf("Validation rule failed at %s, field %s is disallowed", currentPath, anchorKey) + } + // key is not defined in the resource + return "", nil +} + func NewEqualityHandler(anchor string, pattern interface{}, path string) ValidationHandler { return EqualityHandler{ anchor: anchor, @@ -150,7 +180,7 @@ func (eh ExistanceHandler) Handle(resourceMap map[string]interface{}, originPatt case []interface{}: typedPattern, ok := eh.pattern.([]interface{}) if !ok { - return currentPath, fmt.Errorf("Invalid pattern type %T: Pattern has to be of lis to compare against resource", eh.pattern) + return currentPath, fmt.Errorf("Invalid pattern type %T: Pattern has to be of list to compare against resource", eh.pattern) } // get the first item in the pattern array patternMap := typedPattern[0] @@ -187,7 +217,7 @@ func getAnchorsResourcesFromMap(patternMap map[string]interface{}) (map[string]i anchors := map[string]interface{}{} resources := map[string]interface{}{} for key, value := range patternMap { - if isConditionAnchor(key) || isExistanceAnchor(key) || isEqualityAnchor(key) { + if isConditionAnchor(key) || isExistanceAnchor(key) || isEqualityAnchor(key) || isNegationAnchor(key) { anchors[key] = value continue } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 635251afa0..273a681b23 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -305,6 +305,16 @@ func isEqualityAnchor(str string) bool { return (str[:len(left)] == left && str[len(str)-len(right):] == right) } +func isNegationAnchor(str string) bool { + left := "X(" + right := ")" + if len(str) < len(left)+len(right) { + return false + } + //TODO: trim spaces ? + return (str[:len(left)] == left && str[len(str)-len(right):] == right) +} + func isAddingAnchor(key string) bool { const left = "+(" const right = ")" @@ -340,7 +350,7 @@ func removeAnchor(key string) string { return key[1 : len(key)-1] } - if isExistanceAnchor(key) || isAddingAnchor(key) || isEqualityAnchor(key) { + if isExistanceAnchor(key) || isAddingAnchor(key) || isEqualityAnchor(key) || isNegationAnchor(key) { return key[2 : len(key)-1] } diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 6c3462ba24..3fc8b60c4e 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -2767,3 +2767,176 @@ func TestValidate_existenceAnchor_pass(t *testing.T) { } assert.Assert(t, er.IsSuccesful()) } + +func TestValidate_negationAnchor_deny(t *testing.T) { + rawPolicy := []byte(` + { + "apiVersion": "kyverno.io/v1alpha1", + "kind": "ClusterPolicy", + "metadata": { + "name": "validate-host-path" + }, + "spec": { + "rules": [ + { + "name": "validate-host-path", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "message": "Host path is not allowed", + "pattern": { + "spec": { + "volumes": [ + { + "name": "*", + "X(hostPath)": null + } + ] + } + } + } + } + ] + } + } + `) + + rawResource := []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "image-with-hostpath", + "labels": { + "app.type": "prod", + "namespace": "my-namespace" + } + }, + "spec": { + "containers": [ + { + "name": "image-with-hostpath", + "image": "docker.io/nautiker/curl", + "volumeMounts": [ + { + "name": "var-lib-etcd", + "mountPath": "/var/lib" + } + ] + } + ], + "volumes": [ + { + "name": "var-lib-etcd", + "hostPath": { + "path": "/var/lib1" + } + } + ] + } + } `) + + var policy kyverno.ClusterPolicy + json.Unmarshal(rawPolicy, &policy) + + resourceUnstructured, err := ConvertToUnstructured(rawResource) + assert.NilError(t, err) + er := Validate(policy, *resourceUnstructured) + msgs := []string{"Validation rule 'validate-host-path' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed"} + + for index, r := range er.PolicyResponse.Rules { + assert.Equal(t, r.Message, msgs[index]) + } + assert.Assert(t, !er.IsSuccesful()) +} + +func TestValidate_negationAnchor_pass(t *testing.T) { + rawPolicy := []byte(` + { + "apiVersion": "kyverno.io/v1alpha1", + "kind": "ClusterPolicy", + "metadata": { + "name": "validate-host-path" + }, + "spec": { + "rules": [ + { + "name": "validate-host-path", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "message": "Host path is not allowed", + "pattern": { + "spec": { + "volumes": [ + { + "name": "*", + "X(hostPath)": null + } + ] + } + } + } + } + ] + } + } + `) + + rawResource := []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "image-with-hostpath", + "labels": { + "app.type": "prod", + "namespace": "my-namespace" + } + }, + "spec": { + "containers": [ + { + "name": "image-with-hostpath", + "image": "docker.io/nautiker/curl", + "volumeMounts": [ + { + "name": "var-lib-etcd", + "mountPath": "/var/lib" + } + ] + } + ], + "volumes": [ + { + "name": "var-lib-etcd", + "emptyDir": {} + } + ] + } + } + `) + + var policy kyverno.ClusterPolicy + json.Unmarshal(rawPolicy, &policy) + + resourceUnstructured, err := ConvertToUnstructured(rawResource) + assert.NilError(t, err) + er := Validate(policy, *resourceUnstructured) + msgs := []string{"Validation rule 'validate-host-path' succesfully validated"} + + for index, r := range er.PolicyResponse.Rules { + assert.Equal(t, r.Message, msgs[index]) + } + assert.Assert(t, er.IsSuccesful()) +} diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 6ebddac2e6..79ff434e85 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -64,6 +64,10 @@ func Test_validate_require_image_tag_not_latest_deny(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_deny.yaml") } +func Test_validate_require_image_tag_not_latest_notag(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml") +} + func Test_validate_require_image_tag_not_latest_pass(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml") } @@ -139,3 +143,11 @@ func Test_require_pod_requests_limits(t *testing.T) { func Test_require_probes(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_probes.yaml") } + +func Test_validate_disallow_host_filesystem_fail(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml") +} + +func Test_validate_disallow_host_filesystem_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml") +} diff --git a/samples/README.md b/samples/README.md index 029cec5ea5..1b242667a7 100644 --- a/samples/README.md +++ b/samples/README.md @@ -33,6 +33,13 @@ Namespaces are a way to divide cluster resources between multiple users. When mu ***Policy YAML***: [disallow_default_namespace.yaml](best_practices/disallow_default_namespace.yaml) +## Disallow use of host filesystem + +Using the volume of type hostpath can easily lose data when a node crashes. Disable use of hostpath prevent data loss. + +***Policy YAML***: [disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) + + ## Disallow `hostNetwork` and `hostPort` Using `hostPort` and `hostNetwork` limits the number of nodes the pod can be scheduled on, as the pod is bound to the host thats its mapped to. diff --git a/samples/best_practices/disallow_host_filesystem.yaml b/samples/best_practices/disallow_host_filesystem.yaml new file mode 100644 index 0000000000..d0e1a2fe34 --- /dev/null +++ b/samples/best_practices/disallow_host_filesystem.yaml @@ -0,0 +1,17 @@ +apiVersion: "kyverno.io/v1alpha1" +kind: "ClusterPolicy" +metadata: + name: "deny-use-of-host-fs" +spec: + rules: + - name: "deny-use-of-host-fs" + match: + resources: + kinds: + - "Pod" + validate: + message: "Host path is not allowed" + pattern: + spec: + volumes: + - X(hostPath): null \ No newline at end of file diff --git a/test/manifest/disallow_host_filesystem.yaml b/test/manifest/disallow_host_filesystem.yaml new file mode 100644 index 0000000000..17fea26480 --- /dev/null +++ b/test/manifest/disallow_host_filesystem.yaml @@ -0,0 +1,18 @@ +apiVersion: "v1" +kind: "Pod" +metadata: + name: "image-with-hostpath" + labels: + app.type: "prod" + namespace: "my-namespace" +spec: + containers: + - name: "image-with-hostpath" + image: "docker.io/nautiker/curl" + volumeMounts: + - name: "var-lib-etcd" + mountPath: "/var/lib" + volumes: + - name: "var-lib-etcd" + hostPath: + path: "/var/lib" \ No newline at end of file diff --git a/test/manifest/disallow_host_filesystem_pass.yaml b/test/manifest/disallow_host_filesystem_pass.yaml new file mode 100644 index 0000000000..8cf7113715 --- /dev/null +++ b/test/manifest/disallow_host_filesystem_pass.yaml @@ -0,0 +1,17 @@ +apiVersion: "v1" +kind: "Pod" +metadata: + name: "image-with-hostpath" + labels: + app.type: "prod" + namespace: "my-namespace" +spec: + containers: + - name: "image-with-hostpath" + image: "docker.io/nautiker/curl" + volumeMounts: + - name: "var-lib-etcd" + mountPath: "/var/lib" + volumes: + - name: "var-lib-etcd" + emptyDir: {} \ No newline at end of file diff --git a/test/manifest/require_image_tag_not_latest_notag.yaml b/test/manifest/require_image_tag_not_latest_notag.yaml new file mode 100644 index 0000000000..c83c830f72 --- /dev/null +++ b/test/manifest/require_image_tag_not_latest_notag.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml new file mode 100644 index 0000000000..33d18c4805 --- /dev/null +++ b/test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_notag.yaml @@ -0,0 +1,22 @@ +# file path relative to project root +input: + policy: samples/best_practices/require_image_tag_not_latest.yaml + resource: test/manifest/require_image_tag_not_latest_notag.yaml +expected: + validation: + policyresponse: + policy: validate-image-tag + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-tag-notspecified + type: Validation + message: Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag not specified + success: false + - name: image-tag-not-latest + type: Validation + message: Validation rule 'image-tag-not-latest' succesfully validated + success: true diff --git a/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml new file mode 100644 index 0000000000..b42416e689 --- /dev/null +++ b/test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_host_filesystem.yaml + resource: test/manifest/disallow_host_filesystem.yaml +expected: + validation: + policyresponse: + policy: deny-use-of-host-fs + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: image-with-hostpath + rules: + - name: deny-use-of-host-fs + type: Validation + message: Validation rule 'deny-use-of-host-fs' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed + success: false \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml b/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml new file mode 100644 index 0000000000..eb567a3f08 --- /dev/null +++ b/test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/disallow_host_filesystem.yaml + resource: test/manifest/disallow_host_filesystem_pass.yaml +expected: + validation: + policyresponse: + policy: deny-use-of-host-fs + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: image-with-hostpath + rules: + - name: deny-use-of-host-fs + type: Validation + message: Validation rule 'deny-use-of-host-fs' succesfully validated + success: true \ No newline at end of file