diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index cb17226124..1a8e38badf 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -104,12 +104,12 @@ func Test_require_probes(t *testing.T) { testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_probes.yaml") } -func Test_validate_disallow_host_filesystem_fail(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml") +func Test_validate_disallow_bind_mounts_fail(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml") } -func Test_validate_disallow_host_filesystem_pass(t *testing.T) { - testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml") +func Test_validate_disallow_bind_mounts_pass(t *testing.T) { + testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml") } func Test_validate_disallow_new_capabilities(t *testing.T) { diff --git a/samples/DisallowHostFS.md b/samples/DisallowBindMounts.md similarity index 51% rename from samples/DisallowHostFS.md rename to samples/DisallowBindMounts.md index a1a407e42f..d366cb35a0 100644 --- a/samples/DisallowHostFS.md +++ b/samples/DisallowBindMounts.md @@ -4,22 +4,26 @@ The volume of type `hostPath` allows pods to use host bind mounts (i.e. director ## Policy YAML -[disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) +[disallow_bind_mounts.yaml](best_practices/disallow_bind_mounts.yaml) ````yaml apiVersion: "kyverno.io/v1alpha1" kind: "ClusterPolicy" metadata: - name: "deny-use-of-host-fs" + name: "disallow-bind-mounts" + annotations: + policies.kyverno.io/category: Data Protection + policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes). + spec: rules: - - name: "deny-use-of-host-fs" + - name: "validate-hostPath" match: resources: kinds: - "Pod" validate: - message: "Host path is not allowed" + message: "Host path volumes are not allowed" pattern: spec: volumes: diff --git a/samples/best_practices/disallow_host_filesystem.yaml b/samples/best_practices/disallow_bind_mounts.yaml similarity index 88% rename from samples/best_practices/disallow_host_filesystem.yaml rename to samples/best_practices/disallow_bind_mounts.yaml index 7ad0596f67..ab2f24e14b 100644 --- a/samples/best_practices/disallow_host_filesystem.yaml +++ b/samples/best_practices/disallow_bind_mounts.yaml @@ -1,7 +1,7 @@ apiVersion: "kyverno.io/v1alpha1" kind: "ClusterPolicy" metadata: - name: "deny-use-of-host-fs" + name: "disallow-bind-mounts" annotations: policies.kyverno.io/category: Data Protection policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind @@ -13,13 +13,13 @@ metadata: spec: rules: - - name: "deny-use-of-host-fs" + - name: "validate-hostPath" match: resources: kinds: - "Pod" validate: - message: "Host path is not allowed" + message: "Host path volumes are not allowed" pattern: spec: volumes: diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml similarity index 53% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml rename to test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml index a07def3c63..fe648e6bf7 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_host_filesystem.yaml + policy: samples/best_practices/disallow_bind_mounts.yaml resource: test/resources/disallow_host_filesystem.yaml expected: validation: policyresponse: - policy: deny-use-of-host-fs + policy: disallow-bind-mounts resource: kind: Pod apiVersion: v1 namespace: '' name: image-with-hostpath rules: - - name: deny-use-of-host-fs + - name: validate-hostPath type: Validation - message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/'." success: false \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml similarity index 61% rename from test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml rename to test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml index 585851942f..c435528b90 100644 --- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml @@ -1,18 +1,17 @@ # file path relative to project root input: - policy: samples/best_practices/disallow_host_filesystem.yaml + policy: samples/best_practices/disallow_bind_mounts.yaml resource: test/resources/disallow_host_filesystem_pass.yaml expected: validation: policyresponse: - policy: deny-use-of-host-fs + policy: disallow-bind-mounts resource: kind: Pod apiVersion: v1 namespace: '' name: image-with-hostpath rules: - - name: deny-use-of-host-fs + - name: validate-hostPath type: Validation - message: Validation rule 'deny-use-of-host-fs' succeeded. success: true \ No newline at end of file