From f31abbffabcb5f91d589c6f80e80424f346124d8 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 10 Nov 2019 17:54:38 -0800
Subject: [PATCH] update disallow_latest_tag
---
pkg/testrunner/testrunner_test.go | 6 ++---
samples/DisallowHostPIDIPC.md | 5 +----
samples/DisallowLatestTag.md | 18 ++++++++++-----
...t_latest.yaml => disallow_latest_tag.yaml} | 10 ++++-----
...est_deny.yaml => pod_with_latest_tag.yaml} | 0
...st_pass.yaml => pod_with_version_tag.yaml} | 0
.../best_practices/disallow_latest_tag.yaml | 20 +++++++++++++++++
.../disallow_latest_tag_pass.yaml | 20 +++++++++++++++++
...ate_require_image_tag_not_latest_deny.yaml | 22 -------------------
...ate_require_image_tag_not_latest_pass.yaml | 22 -------------------
10 files changed, 61 insertions(+), 62 deletions(-)
rename samples/best_practices/{require_image_tag_not_latest.yaml => disallow_latest_tag.yaml} (74%)
rename test/resources/{require_image_tag_not_latest_deny.yaml => pod_with_latest_tag.yaml} (100%)
rename test/resources/{resource_validate_image_tag_latest_pass.yaml => pod_with_version_tag.yaml} (100%)
create mode 100644 test/scenarios/samples/best_practices/disallow_latest_tag.yaml
create mode 100644 test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml
delete mode 100644 test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml
delete mode 100644 test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 65fb220e24..fcd7e73959 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -28,12 +28,12 @@ func Test_generate_networkPolicy(t *testing.T) {
// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
-func Test_validate_require_image_tag_not_latest_deny(t *testing.T) {
- testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml")
+func Test_validate_disallow_latest_tag(t *testing.T) {
+ testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag.yaml")
}
func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
- testScenario(t, "test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
+ testScenario(t, "test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml")
}
func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
diff --git a/samples/DisallowHostPIDIPC.md b/samples/DisallowHostPIDIPC.md
index 6820a332e4..69205d373e 100644
--- a/samples/DisallowHostPIDIPC.md
+++ b/samples/DisallowHostPIDIPC.md
@@ -15,10 +15,7 @@ metadata:
name: disallow-host-pid-ipc
annotations:
policies.kyverno.io/category: Security
- policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process
- on the host, potentially exposing process information. Sharing the host's IPC namespace allows
- the container process to communicate with processes on the host. To avoid pod container from
- having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
+ policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information. Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
spec:
validationFailureAction: audit
rules:
diff --git a/samples/DisallowLatestTag.md b/samples/DisallowLatestTag.md
index 20a10e08d0..485e0b3661 100644
--- a/samples/DisallowLatestTag.md
+++ b/samples/DisallowLatestTag.md
@@ -4,36 +4,42 @@ The `:latest` tag is mutable and can lead to unexpected errors if the upstream i
## Policy YAML
-[require_image_tag_not_latest.yaml](best_practices/require_image_tag_not_latest.yaml)
+[disallow_latest_tag.yaml](best_practices/disallow_latest_tag.yaml)
````yaml
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-image-tag
+ name: disallow-latest-tag
+ annotations:
+ policies.kyverno.io/category: Image
+ policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
+ unexpected errors if the image changes. A best practice is to use an immutable
+ tag that maps to a specific version of an application pod.
spec:
rules:
- - name: image-tag-notspecified
+ - name: require-tag
match:
resources:
kinds:
- Pod
validate:
- message: "Image tag not specified"
+ message: "An image tag is required"
pattern:
spec:
containers:
- image: "*:*"
- - name: image-tag-not-latest
+ - name: validate-tag
match:
resources:
kinds:
- Pod
validate:
- message: "Using 'latest' image tag is restricted. Set image tag to a specific version"
+ message: "Using a mutable image tag e.g. 'latest' is not allowed"
pattern:
spec:
containers:
- image: "!*:latest"
+
````
diff --git a/samples/best_practices/require_image_tag_not_latest.yaml b/samples/best_practices/disallow_latest_tag.yaml
similarity index 74%
rename from samples/best_practices/require_image_tag_not_latest.yaml
rename to samples/best_practices/disallow_latest_tag.yaml
index a478b95edc..4e15999caf 100644
--- a/samples/best_practices/require_image_tag_not_latest.yaml
+++ b/samples/best_practices/disallow_latest_tag.yaml
@@ -1,7 +1,7 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
- name: validate-image-tag
+ name: disallow-latest-tag
annotations:
policies.kyverno.io/category: Image
policies.kyverno.io/description: The ':latest' tag is mutable and can lead to
@@ -9,24 +9,24 @@ metadata:
tag that maps to a specific version of an application pod.
spec:
rules:
- - name: image-tag-notspecified
+ - name: require-image-tag
match:
resources:
kinds:
- Pod
validate:
- message: "Image tag not specified"
+ message: "An image tag is required"
pattern:
spec:
containers:
- image: "*:*"
- - name: image-tag-not-latest
+ - name: validate-image-tag
match:
resources:
kinds:
- Pod
validate:
- message: "Using 'latest' image tag is restricted. Set image tag to a specific version"
+ message: "Using a mutable image tag e.g. 'latest' is not allowed"
pattern:
spec:
containers:
diff --git a/test/resources/require_image_tag_not_latest_deny.yaml b/test/resources/pod_with_latest_tag.yaml
similarity index 100%
rename from test/resources/require_image_tag_not_latest_deny.yaml
rename to test/resources/pod_with_latest_tag.yaml
diff --git a/test/resources/resource_validate_image_tag_latest_pass.yaml b/test/resources/pod_with_version_tag.yaml
similarity index 100%
rename from test/resources/resource_validate_image_tag_latest_pass.yaml
rename to test/resources/pod_with_version_tag.yaml
diff --git a/test/scenarios/samples/best_practices/disallow_latest_tag.yaml b/test/scenarios/samples/best_practices/disallow_latest_tag.yaml
new file mode 100644
index 0000000000..ec6163984b
--- /dev/null
+++ b/test/scenarios/samples/best_practices/disallow_latest_tag.yaml
@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+ policy: samples/best_practices/disallow_latest_tag.yaml
+ resource: test/resources/pod_with_latest_tag.yaml
+expected:
+ validation:
+ policyresponse:
+ policy: disallow-latest-tag
+ resource:
+ kind: Pod
+ apiVersion: v1
+ namespace: ''
+ name: myapp-pod
+ rules:
+ - name: require-image-tag
+ type: Validation
+ success: true
+ - name: validate-image-tag
+ type: Validation
+ success: false
diff --git a/test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml b/test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml
new file mode 100644
index 0000000000..ae4e4847f0
--- /dev/null
+++ b/test/scenarios/samples/best_practices/disallow_latest_tag_pass.yaml
@@ -0,0 +1,20 @@
+# file path relative to project root
+input:
+ policy: samples/best_practices/disallow_latest_tag.yaml
+ resource: test/resources/pod_with_version_tag.yaml
+expected:
+ validation:
+ policyresponse:
+ policy: disallow-latest-tag
+ resource:
+ kind: Pod
+ apiVersion: v1
+ namespace: ''
+ name: myapp-pod
+ rules:
+ - name: require-image-tag
+ type: Validation
+ success: true
+ - name: validate-image-tag
+ type: Validation
+ success: true
diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml
deleted file mode 100644
index 38d5bd1753..0000000000
--- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_deny.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
- policy: samples/best_practices/require_image_tag_not_latest.yaml
- resource: test/resources/require_image_tag_not_latest_deny.yaml
-expected:
- validation:
- policyresponse:
- policy: validate-image-tag
- resource:
- kind: Pod
- apiVersion: v1
- namespace: ''
- name: myapp-pod
- rules:
- - name: image-tag-notspecified
- type: Validation
- message: "Validation rule 'image-tag-notspecified' succeeded."
- success: true
- - name: image-tag-not-latest
- type: Validation
- message: "Validation error: Using 'latest' image tag is restricted. Set image tag to a specific version\nValidation rule 'image-tag-not-latest' failed at path '/spec/containers/0/image/'."
- success: false
diff --git a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml b/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml
deleted file mode 100644
index 0a1a30724a..0000000000
--- a/test/scenarios/samples/best_practices/scenario_valiadate_require_image_tag_not_latest_pass.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-# file path relative to project root
-input:
- policy: samples/best_practices/require_image_tag_not_latest.yaml
- resource: test/resources/resource_validate_image_tag_latest_pass.yaml
-expected:
- validation:
- policyresponse:
- policy: validate-image-tag
- resource:
- kind: Pod
- apiVersion: v1
- namespace: ''
- name: myapp-pod
- rules:
- - name: image-tag-notspecified
- type: Validation
- message: "Validation rule 'image-tag-notspecified' succeeded."
- success: true
- - name: image-tag-not-latest
- type: Validation
- message: "Validation rule 'image-tag-not-latest' succeeded."
- success: true