Merge pull request #140 from nirmata/NDEV-19285-convert-rbac-best-pra…

…ctices-to-cel-policies feat: NDEV-19285-convert-rbac-best-practices-to-cel-policies
nirmata · Jun 18, 2024 · 090cf09 · 090cf09
2 parents a80207c + 7180f6f
commit 090cf09
Show file tree

Hide file tree

Showing 41 changed files with 1,274 additions and 1 deletion.
diff --git a/.github/scripts/config/helm/values-vap.yaml b/.github/scripts/config/helm/values-vap.yaml
@@ -0,0 +1,18 @@
+features:
+  generateValidatingAdmissionPolicy:
+    enabled: true
+
+admissionController:
+  rbac:
+    clusterRole:
+      extraResources:
+      - apiGroups:
+          - admissionregistration.k8s.io
+        resources:
+          - validatingadmissionpolicies
+          - validatingadmissionpolicybindings
+        verbs:
+          - create
+          - update
+          - delete
+          - list
diff --git a/.github/scripts/config/kind/vap-v1alpha1.yaml b/.github/scripts/config/kind/vap-v1alpha1.yaml
@@ -0,0 +1,9 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  ValidatingAdmissionPolicy: true
+runtimeConfig:
+  admissionregistration.k8s.io/v1alpha1: true
+nodes:
+  - role: control-plane
+  - role: worker
diff --git a/.github/scripts/config/kind/vap-v1beta1.yaml b/.github/scripts/config/kind/vap-v1beta1.yaml
@@ -0,0 +1,10 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  ValidatingAdmissionPolicy: true
+runtimeConfig:
+  admissionregistration.k8s.io/v1beta1: true
+  admissionregistration.k8s.io/v1alpha1: true
+nodes:
+  - role: control-plane
+  - role: worker
diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml
@@ -45,7 +45,7 @@ jobs:
         run: chainsaw version
 
       - name: Test with Chainsaw
-        run: make test-chainsaw
+        run: make test-chainsaw-exclude-cel
 
   run-e2etest-2:
     runs-on: ubuntu-latest
@@ -84,3 +84,69 @@ jobs:
 
       - name: Test with Chainsaw
         run: make test-chainsaw
+
+  run-e2etest-vap-alpha:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false    
+      matrix:
+        k8s-version: [v1.27.3, v1.26.3]
+        n4k-chart-version: [3.1.14]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Prepare environment
+        run: |
+          K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster-vap-alpha
+
+      - name: Install kyverno
+        run: |
+          N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno-vap
+
+      - name: Check Kyverno status
+        run: make wait-for-kyverno
+
+      - name: Install chainsaw
+        uses: kyverno/[email protected]
+
+      - name: Verify Chainsaw Installation
+        run: chainsaw version
+
+      - name: Test with Chainsaw
+        run: make test-chainsaw-vap
+
+  run-e2etest-vap-beta:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false    
+      matrix:
+        k8s-version: [v1.29.2, v1.28.0]
+        n4k-chart-version: [3.1.14]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Prepare environment
+        run: |
+          K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster-vap-beta
+
+      - name: Install kyverno
+        run: |
+          N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno-vap
+
+      - name: Check Kyverno status
+        run: make wait-for-kyverno
+
+      - name: Install chainsaw
+        uses: kyverno/[email protected]
+
+      - name: Verify Chainsaw Installation
+        run: chainsaw version
+
+      - name: Test with Chainsaw
+        run: make test-chainsaw-vap
diff --git a/Makefile b/Makefile
@@ -8,6 +8,9 @@ USE_CONFIG           ?= standard
 TOOLS_DIR                          := $(PWD)/.tools
 KIND                               := $(TOOLS_DIR)/kind
 KIND_VERSION                       := v0.22.0
+KIND_VAP_ALPHA_CONFIG			   := $(PWD)/.github/scripts/config/kind/vap-v1alpha1.yaml
+KIND_VAP_BETA_CONFIG			   := $(PWD)/.github/scripts/config/kind/vap-v1beta1.yaml
+HELM_VALUES_VAP					   := $(PWD)/.github/scripts/config/helm/values-vap.yaml
 HELM                               := $(TOOLS_DIR)/helm
 HELM_VERSION                       := v3.10.1
 TOOLS                              := $(KIND) $(HELM)
@@ -37,12 +40,34 @@ test-chainsaw:
 	@echo Running chainsaw tests... >&2
 	@chainsaw test --config .chainsaw-config.yaml
 
+.PHONY: test-chainsaw-exclude-cel
+test-chainsaw-exclude-cel:  
+	@echo Running chainsaw tests by excluding CEL folders... >&2
+	@chainsaw test --config .chainsaw-config.yaml --exclude-test-regex 'chainsaw/.*-cel'
+
+.PHONY: test-chainsaw-vap
+test-chainsaw-vap:  
+	@echo Running chainsaw tests for VAPs... >&2
+	@chainsaw test --config .chainsaw-config.yaml --test-file chainsaw-test-vap.yaml
+
 ## Create kind cluster
 .PHONY: kind-create-cluster
 kind-create-cluster: $(KIND) 
 	@echo Create kind cluster... >&2
 	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE)
 
+## Create kind cluster with alpha VAP enabled
+.PHONY: kind-create-cluster-vap-alpha
+kind-create-cluster-vap-alpha: $(KIND) 
+	@echo Create kind cluster... >&2
+	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config $(KIND_VAP_ALPHA_CONFIG)
+
+## Create kind cluster with beta VAP enabled
+.PHONY: kind-create-cluster-vap-beta
+kind-create-cluster-vap-beta: $(KIND) 
+	@echo Create kind cluster... >&2
+	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config $(KIND_VAP_BETA_CONFIG)
+
 ## Delete kind cluster
 .PHONY: kind-delete-cluster
 kind-delete-cluster: $(KIND) 
@@ -57,6 +82,14 @@ kind-deploy-kyverno: $(HELM)
 	@$(HELM) repo update
 	@$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION)
 
+## Deploy Enterprise Kyverno with VAP generation enabled
+.PHONY: kind-deploy-kyverno-vap
+kind-deploy-kyverno-vap: $(HELM) 
+	@echo Install kyverno chart... >&2
+	@$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts
+	@$(HELM) repo update
+	@$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) --values=$(HELM_VALUES_VAP)
+
 ## Check Kyverno status 
 .PHONY: wait-for-kyverno
 wait-for-kyverno: 

diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/bad-resource.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/bad-resource.yaml
@@ -0,0 +1,67 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: badcrb01
+subjects:
+- kind: Group
+  name: bar
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: badcrb02
+subjects:
+- kind: Group
+  namespace: foo
+  name: bar
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: badrb01
+subjects:
+- kind: Group
+  name: bar
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: badrb02
+subjects:
+- kind: Group
+  name: bar
+  namespace: foo
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: badrb03
+subjects:
+- kind: Group
+  name: bar
+  namespace: foo
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test-vap.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test-vap.yaml
@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-binding-system-groups-policy
+spec:
+  steps:
+  - name: test-restrict-binding-system-groups
+    try:
+    - apply:
+        file: ../restrict-binding-system-groups.yaml
+    - assert:
+        file: policy-assert.yaml
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl apply -f - 
+    - assert:
+        file: enforce-policy-assert.yaml
+    - assert:
+        file: vap-assert.yaml
+    - assert:
+        file: vap-binding-assert.yaml
+    - apply:
+        file: good-resource.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-resource.yaml
diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/chainsaw-test.yaml
@@ -0,0 +1,24 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-binding-system-groups-policy
+spec:
+  steps:
+  - name: test-restrict-binding-system-groups
+    try:
+    - apply:
+        file: ../restrict-binding-system-groups.yaml
+    - assert:
+        file: policy-assert.yaml
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl apply -f - 
+    - assert:
+        file: enforce-policy-assert.yaml
+    - apply:
+        file: good-resource.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-resource.yaml
diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml
@@ -0,0 +1,11 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-binding-system-groups
+spec:
+  validationFailureAction: Enforce
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/rbac-best-practices-cel/restrict-binding-system-groups/e2e/good-resource.yaml b/rbac-best-practices-cel/restrict-binding-system-groups/e2e/good-resource.yaml
@@ -0,0 +1,77 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: goodcrb01
+subjects:
+- kind: Group
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: manager
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: goodcrb02
+subjects:
+- kind: ServiceAccount
+  namespace: foo
+  name: foo-reader
+roleRef:
+  kind: ClusterRole
+  name: manager
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: goodcrb03
+subjects:
+- kind: ServiceAccount
+  namespace: foo
+  name: "system.foo"
+roleRef:
+  kind: ClusterRole
+  name: manager
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: goodrb01
+subjects:
+- kind: User
+  name: foo
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: foo-bar
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: goodrb02
+subjects:
+- kind: ServiceAccount
+  name: foo
+  namespace: foo
+roleRef:
+  kind: Role
+  name: foo-bar
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: goodrb03
+subjects:
+- kind: Group
+  name: "system:foo"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: foo
+  apiGroup: rbac.authorization.k8s.io