mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-12 19:06:55 +00:00
5f5cda9fee
* enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
159 lines
5.3 KiB
Go
159 lines
5.3 KiB
Go
package validate
|
|
|
|
import (
|
|
"github.com/kyverno/kyverno/test/e2e"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
)
|
|
|
|
// FluxValidateTests is E2E Test Config for validation
|
|
var FluxValidateTests = []struct {
|
|
// TestName - Name of the Test
|
|
TestName string
|
|
// PolicyRaw - The Yaml file of the ClusterPolicy
|
|
PolicyRaw []byte
|
|
// ResourceRaw - The Yaml file of the ClusterPolicy
|
|
ResourceRaw []byte
|
|
// ResourceNamespace - Namespace of the Resource
|
|
ResourceNamespace string
|
|
// MustSucceed declares if test case must fail on validation
|
|
MustSucceed bool
|
|
}{
|
|
{
|
|
TestName: "test-validate-with-flux-and-variable-substitution-2043",
|
|
PolicyRaw: kyverno_2043_policy,
|
|
ResourceRaw: kyverno_2043_FluxKustomization,
|
|
ResourceNamespace: "test-validate",
|
|
MustSucceed: false,
|
|
},
|
|
{
|
|
TestName: "test-validate-with-flux-and-variable-substitution-2241",
|
|
PolicyRaw: kyverno_2241_policy,
|
|
ResourceRaw: kyverno_2241_FluxKustomization,
|
|
ResourceNamespace: "test-validate",
|
|
MustSucceed: true,
|
|
},
|
|
}
|
|
|
|
var (
|
|
podGVR = e2e.GetGVR("", "v1", "pods")
|
|
deploymentGVR = e2e.GetGVR("apps", "v1", "deployments")
|
|
)
|
|
|
|
var ValidateTests = []struct {
|
|
// TestDescription - Description of the Test
|
|
TestDescription string
|
|
// PolicyName - Name of the Policy
|
|
PolicyName string
|
|
// PolicyRaw - The Yaml file of the ClusterPolicy
|
|
PolicyRaw []byte
|
|
// ResourceName - Name of the Resource
|
|
ResourceName string
|
|
// ResourceNamespace - Namespace of the Resource
|
|
ResourceNamespace string
|
|
// ResourceGVR - GVR of the Resource
|
|
ResourceGVR schema.GroupVersionResource
|
|
// ResourceRaw - The Yaml file of the ClusterPolicy
|
|
ResourceRaw []byte
|
|
// MustSucceed - indicates if validation must succeed
|
|
MustSucceed bool
|
|
}{
|
|
{
|
|
// Case for https://github.com/kyverno/kyverno/issues/2345 issue
|
|
TestDescription: "checks that contains function works properly with string list",
|
|
PolicyName: "drop-cap-net-raw",
|
|
PolicyRaw: kyverno_2345_policy,
|
|
ResourceName: "test",
|
|
ResourceNamespace: "test-validate1",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_2345_resource,
|
|
MustSucceed: false,
|
|
},
|
|
{
|
|
// Case for https://github.com/kyverno/kyverno/issues/2390 issue
|
|
TestDescription: "checks that policy contains global anchor fields",
|
|
PolicyName: "check-image-pull-secret",
|
|
PolicyRaw: kyverno_global_anchor_validate_policy,
|
|
ResourceName: "pod-with-nginx-allowed-registory",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_global_anchor_validate_resource_1,
|
|
MustSucceed: true,
|
|
},
|
|
{
|
|
// Case for https://github.com/kyverno/kyverno/issues/2390 issue
|
|
TestDescription: "checks that policy contains global anchor fields",
|
|
PolicyName: "check-image-pull-secret",
|
|
PolicyRaw: kyverno_global_anchor_validate_policy,
|
|
ResourceName: "pod-with-nginx-disallowed-registory",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_global_anchor_validate_resource_2,
|
|
MustSucceed: false,
|
|
},
|
|
{
|
|
// Case for image validation
|
|
TestDescription: "checks that images are trustable",
|
|
PolicyName: "check-trustable-images",
|
|
PolicyRaw: kyverno_trustable_image_policy,
|
|
ResourceName: "pod-with-trusted-registry",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_trusted_image_pod,
|
|
MustSucceed: true,
|
|
},
|
|
{
|
|
// Case for image validation
|
|
TestDescription: "checks that images are trustable",
|
|
PolicyName: "check-trustable-images",
|
|
PolicyRaw: kyverno_trustable_image_policy,
|
|
ResourceName: "pod-with-root-user",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_pod_with_root_user,
|
|
MustSucceed: false,
|
|
},
|
|
{
|
|
// Case for small image validation
|
|
TestDescription: "checks that images are small",
|
|
PolicyName: "check-small-images",
|
|
PolicyRaw: kyverno_small_image_policy,
|
|
ResourceName: "pod-with-small-image",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_pod_with_small_image,
|
|
MustSucceed: true,
|
|
},
|
|
{
|
|
// Case for small image validation
|
|
TestDescription: "checks that images are small",
|
|
PolicyName: "check-large-images",
|
|
PolicyRaw: kyverno_small_image_policy,
|
|
ResourceName: "pod-with-large-image",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_pod_with_large_image,
|
|
MustSucceed: false,
|
|
},
|
|
{
|
|
// Case for yaml signing validation
|
|
TestDescription: "checks that unsigned yaml manifest is blocked",
|
|
PolicyName: "check-yaml-signing",
|
|
PolicyRaw: kyverno_yaml_signing_validate_policy,
|
|
ResourceName: "test-deployment",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: deploymentGVR,
|
|
ResourceRaw: kyverno_yaml_signing_validate_resource_1,
|
|
MustSucceed: false,
|
|
},
|
|
{
|
|
// Case for yaml signing validation
|
|
TestDescription: "checks that signed yaml manifest is created",
|
|
PolicyName: "check-yaml-signing",
|
|
PolicyRaw: kyverno_yaml_signing_validate_policy,
|
|
ResourceName: "test-deployment",
|
|
ResourceNamespace: "test-validate",
|
|
ResourceGVR: deploymentGVR,
|
|
ResourceRaw: kyverno_yaml_signing_validate_resource_2,
|
|
MustSucceed: true,
|
|
},
|
|
}
|