Add Kustomize fixture scenarios and e2e coverage

e2e/fixtures/E2E_CLI_005_PAYLOAD.json

@@ -1 +1 @@
-{"document":[{"id":"0","file":"file","resource":{"aws_redshift_cluster":{"default":{"node_type":"dc1.large","cluster_type":"single-node","cluster_identifier":"tf-redshift-cluster","database_name":"mydb","master_username":"foo","master_password":"Mustbe8characters"},"default1":{"master_password":"Mustbe8characters","node_type":"dc1.large","cluster_type":"single-node","publicly_accessible":true,"cluster_identifier":"tf-redshift-cluster","database_name":"mydb","master_username":"foo"}}}}]}
+{"document":[{"id":"0","file":"file","resource":{"aws_redshift_cluster":{"default":{"node_type":"dc1.large","cluster_type":"single-node","cluster_identifier":"tf-redshift-cluster","database_name":"mydb","master_username":"foo","master_password":"Mustbe8characters"},"default1":{"master_password":"Mustbe8characters","node_type":"dc1.large","cluster_type":"single-node","publicly_accessible":true,"cluster_identifier":"tf-redshift-cluster","database_name":"mydb","master_username":"foo"}}}}]}

test/fixtures/multi_kustomize/k8s-a/cm.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-a
+data:
+  k: v

test/fixtures/multi_kustomize/k8s-a/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cm.yaml

test/fixtures/multi_kustomize/k8s-b/cm.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-b
+data:
+  k: v

test/fixtures/multi_kustomize/k8s-b/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cm.yaml

test/fixtures/scan_scenarios/01-simple/deployment.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web
+  template:
+    metadata:
+      labels:
+        app: web
+    spec:
+      containers:
+      - name: web
+        image: nginx:latest
+        securityContext:
+          privileged: true
+          runAsUser: 0
+          allowPrivilegeEscalation: true

test/fixtures/scan_scenarios/01-simple/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml

test/fixtures/scan_scenarios/02-overlay/base/deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+    spec:
+      hostNetwork: true
+      containers:
+      - name: api
+        image: quay.io/example/api:1.0
+        securityContext:
+          runAsNonRoot: false

test/fixtures/scan_scenarios/02-overlay/base/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml

test/fixtures/scan_scenarios/02-overlay/overlay/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: production
+resources:
+- ../base
+patches:
+- path: replicas_patch.yaml

test/fixtures/scan_scenarios/02-overlay/overlay/replicas_patch.yaml

@@ -0,0 +1,6 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+spec:
+  replicas: 5

test/fixtures/scan_scenarios/03-generator/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- pod.yaml
+configMapGenerator:
+- name: app-config
+  literals:
+  - DB_HOST=postgres.internal
+  - DB_PASSWORD=SuperSecret123!
+secretGenerator:
+- name: api-token
+  literals:
+  - token=abcdef0123456789

test/fixtures/scan_scenarios/03-generator/pod.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: consumer
+spec:
+  containers:
+  - name: consumer
+    image: busybox
+    envFrom:
+    - configMapRef:
+        name: app-config
+    - secretRef:
+        name: api-token

test/fixtures/scan_scenarios/04-nested/base/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- service.yaml

test/fixtures/scan_scenarios/04-nested/base/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: shared
+spec:
+  type: LoadBalancer
+  selector:
+    app: shared
+  ports:
+  - port: 80
+    targetPort: 8080

test/fixtures/scan_scenarios/04-nested/prod/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: production
+resources:
+- ../staging
+patches:
+- path: loadbalancer_patch.yaml
+  target:
+    kind: Service
+    name: shared

test/fixtures/scan_scenarios/04-nested/prod/loadbalancer_patch.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: shared
+spec:
+  externalTrafficPolicy: Cluster

test/fixtures/scan_scenarios/04-nested/staging/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: staging
+resources:
+- ../base
+commonLabels:
+  env: staging

test/fixtures/scan_scenarios/05-helm-inflation/charts/demo/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: demo
+description: Local chart for scanner integration test
+type: application
+version: 0.1.0
+appVersion: "1.0"

test/fixtures/scan_scenarios/05-helm-inflation/charts/demo/templates/deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-demo
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: demo
+  template:
+    metadata:
+      labels:
+        app: demo
+    spec:
+      containers:
+      - name: app
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        securityContext:
+          privileged: {{ .Values.privileged }}
+          runAsUser: 0

test/fixtures/scan_scenarios/05-helm-inflation/charts/demo/values.yaml

@@ -0,0 +1,5 @@
+image:
+  repository: nginx
+  tag: latest
+replicas: 2
+privileged: false

test/fixtures/scan_scenarios/05-helm-inflation/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+- name: demo
+  releaseName: demo
+  namespace: demo
+  valuesInline:
+    privileged: true
+    replicas: 3

test/fixtures/scan_scenarios/06-remote-blocked/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- https://github.com/kubernetes-sigs/kustomize/examples/multibases/dev

test/fixtures/scan_scenarios/07-broken/deployment.yaml

@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: broken
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: broken
+  template:
+    metadata:
+      labels:
+        app: broken
+    spec:
+      containers:
+      - name: broken
+        image: alpine

test/fixtures/scan_scenarios/07-broken/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml
+patches:
+- path: nonexistent_patch.yaml
+  target:
+    kind: Deployment
+    name: does-not-exist

test/fixtures/scan_scenarios/08-pure-helm/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: standalone
+description: Standalone Helm chart (no Kustomize wrapper)
+type: application
+version: 0.1.0
+appVersion: "1.0"

test/fixtures/scan_scenarios/08-pure-helm/templates/deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: standalone
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: standalone
+  template:
+    metadata:
+      labels:
+        app: standalone
+    spec:
+      hostPID: true
+      containers:
+      - name: standalone
+        image: {{ .Values.image }}
+        securityContext:
+          privileged: true

test/fixtures/scan_scenarios/08-pure-helm/values.yaml

@@ -0,0 +1,2 @@
+image: nginx:1.25
+replicas: 1

test/fixtures/scan_scenarios/09-plain-k8s/pod.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: plain-root
+  namespace: default
+spec:
+  hostNetwork: true
+  hostPID: true
+  containers:
+  - name: plain
+    image: busybox:latest
+    securityContext:
+      privileged: true
+      runAsUser: 0
+      allowPrivilegeEscalation: true

test/fixtures/scan_scenarios/10-multi-root/team-a/deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: worker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: worker
+  template:
+    metadata:
+      labels:
+        app: worker
+    spec:
+      containers:
+      - name: worker
+        image: alpine:latest
+        securityContext:
+          readOnlyRootFilesystem: false
+          runAsNonRoot: false

test/fixtures/scan_scenarios/10-multi-root/team-a/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yaml
+namespace: team-a

test/fixtures/scan_scenarios/10-multi-root/team-b/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- statefulset.yaml
+namespace: team-b

test/fixtures/scan_scenarios/10-multi-root/team-b/statefulset.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: cache
+spec:
+  serviceName: cache
+  replicas: 3
+  selector:
+    matchLabels:
+      app: cache
+  template:
+    metadata:
+      labels:
+        app: cache
+    spec:
+      containers:
+      - name: cache
+        image: redis:latest
+        securityContext:
+          privileged: true