From 02a94a4de728458f1a0a064e2a79dfa8eb959ab0 Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Mon, 18 Dec 2023 16:18:45 +0530 Subject: [PATCH 1/7] Added the chainsaw tests for pod security and rbac policies Signed-off-by: nsathyaseelan --- .chainsaw-config.yaml | 17 + .github/workflows/chainsaw-e2e.yaml | 48 + .github/workflows/e2e.yaml | 32 - Makefile | 33 +- .../e2e/01-policy.yaml | 6 - .../e2e/02-enforce.yaml | 5 - .../e2e/04-manifests.yaml | 11 - .../e2e/99-delete.yaml | 6 - .../e2e/good-ingress.yaml | 26 - .../e2e/no-host-fail-first.yaml | 25 - .../e2e/no-host-ingress.yaml | 17 - .../e2e/no-host-success-first.yaml | 25 - .../e2e/01-policy.yaml | 6 - .../e2e/02-enforce.yaml | 5 - .../e2e/04-manifests.yaml | 15 - .../e2e/99-delete.yaml | 6 - .../disallow_cri_sock_mount/e2e/good-pod.yaml | 15 - .../e2e/pod-containerd-sock.yaml | 15 - .../e2e/pod-crio-sock.yaml | 15 - .../e2e/pod-docker-sock.yaml | 15 - .../e2e/pod-emptydir-vol.yaml | 14 - .../e2e/pod-no-volumes.yaml | 12 - .../e2e/01-policy.yaml | 6 - .../e2e/02-enforce.yaml | 5 - .../e2e/05-manifests.yaml | 15 - .../e2e/99-delete.yaml | 6 - .../e2e/deploy-default.yaml | 23 - .../e2e/ds-default.yaml | 20 - .../e2e/good-resources.yaml | 97 -- .../e2e/job-default.yaml | 15 - .../e2e/pod-default.yaml | 12 - .../e2e/ss-default.yaml | 23 - .../disallow_latest_tag/e2e/01-policy.yaml | 6 - .../disallow_latest_tag/e2e/02-enforce.yaml | 5 - .../disallow_latest_tag/e2e/04-manifests.yaml | 11 - .../disallow_latest_tag/e2e/99-delete.yaml | 6 - .../e2e/bad-pod-latest-fail-first.yaml | 10 - .../e2e/bad-pod-latest-success-first.yaml | 10 - .../e2e/bad-pod-no-tag.yaml | 32 - .../disallow_latest_tag/e2e/good-pod.yaml | 8 - .../require_drop_all/e2e/01-policy.yaml | 6 - .../require_drop_all/e2e/02-enforce.yaml | 5 - .../require_drop_all/e2e/04-manifests.yaml | 15 - .../require_drop_all/e2e/99-delete.yaml | 6 - .../e2e/bad-pod-containers.yaml | 61 - .../require_drop_all/e2e/bad-pod-corner.yaml | 54 - .../e2e/bad-pod-initcontainers.yaml | 47 - .../e2e/bad-podcontrollers.yaml | 153 -- .../require_drop_all/e2e/good-pod.yaml | 27 - .../e2e/good-podcontrollers.yaml | 86 - .../e2e/01-policy.yaml | 6 - .../e2e/02-enforce.yaml | 5 - .../e2e/04-manifests.yaml | 15 - .../e2e/99-delete.yaml | 6 - .../e2e/bad-pod-containers.yaml | 61 - .../e2e/bad-pod-corner.yaml | 51 - .../e2e/bad-pod-initcontainers.yaml | 47 - .../e2e/bad-podcontrollers.yaml | 153 -- .../e2e/good-pod.yaml | 25 - .../e2e/good-podcontrollers.yaml | 86 - .../require_labels/e2e/01-policy.yaml | 6 - .../require_labels/e2e/02-enforce.yaml | 5 - .../require_labels/e2e/04-manifests.yaml | 13 - .../require_labels/e2e/99-delete.yaml | 6 - .../require_labels/e2e/bad-pod-nolabel.yaml | 8 - .../require_labels/e2e/bad-pod-somelabel.yaml | 10 - .../e2e/bad-podcontrollers.yaml | 35 - .../e2e/good-podcontrollers.yaml | 38 - .../require_labels/e2e/good-pods.yaml | 22 - .../e2e/01-policy.yaml | 6 - .../e2e/02-enforce.yaml | 5 - .../e2e/03-enforce-policy-assert.yaml | 11 - .../e2e/04-manifests.yaml | 15 - .../e2e/99-delete.yaml | 6 - .../e2e/bad-pod-nolimit.yaml | 14 - .../e2e/bad-pod-nores.yaml | 37 - .../e2e/bad-pod-nothing.yaml | 11 - .../e2e/bad-podcontrollers.yaml | 48 - .../e2e/good-podcontrollers.yaml | 60 - .../e2e/good-pods.yaml | 41 - .../e2e/policy-assert.yaml | 11 - .../require_probes/e2e/01-policy.yaml | 6 - .../require_probes/e2e/02-enforce.yaml | 5 - .../e2e/03-enforce-policy-assert.yaml | 11 - .../require_probes/e2e/04-manifests.yaml | 13 - .../require_probes/e2e/05-pod-update.yaml | 5 - .../require_probes/e2e/99-delete.yaml | 6 - .../require_probes/e2e/bad-pod-notall.yaml | 37 - .../require_probes/e2e/bad-pod-nothing.yaml | 10 - .../require_probes/e2e/bad-pod-update.yaml | 10 - .../e2e/bad-podcontrollers.yaml | 23 - .../e2e/good-podcontrollers.yaml | 27 - .../require_probes/e2e/good-pods.yaml | 49 - .../require_ro_rootfs/e2e/01-policy.yaml | 6 - .../require_ro_rootfs/e2e/02-enforce.yaml | 5 - .../e2e/03-enforce-policy-assert.yaml | 11 - .../require_ro_rootfs/e2e/04-manifests.yaml | 15 - .../require_ro_rootfs/e2e/99-delete.yaml | 6 - .../require_ro_rootfs/e2e/bad-pod-false.yaml | 10 - .../require_ro_rootfs/e2e/bad-pod-notall.yaml | 25 - .../e2e/bad-pod-nothing.yaml | 8 - .../e2e/bad-podcontrollers.yaml | 40 - .../e2e/good-podcontrollers.yaml | 44 - .../require_ro_rootfs/e2e/good-pods.yaml | 25 - .../e2e/01-policy.yaml | 6 - .../e2e/02-enforce.yaml | 5 - .../e2e/03-enforce-policy-assert.yaml | 11 - .../e2e/04-manifests.yaml | 9 - .../e2e/99-delete.yaml | 6 - .../e2e/bad-service-oneip.yaml | 13 - .../e2e/bad-service-twoeip.yaml | 14 - .../e2e/good-services.yaml | 11 - .../e2e/policy-assert.yaml | 11 - .../restrict_node_port/e2e/01-policy.yaml | 6 - .../restrict_node_port/e2e/02-enforce.yaml | 5 - .../e2e/03-enforce-policy-assert.yaml | 11 - .../restrict_node_port/e2e/04-manifests.yaml | 7 - .../restrict_node_port/e2e/99-delete.yaml | 6 - .../e2e/bad-service-nodeport.yaml | 12 - .../restrict_node_port/e2e/good-services.yaml | 24 - kuttl-test.yaml | 8 - .../e2e/bad-resource.yaml | 417 +++++ .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 6 +- .../e2e/good-resource.yaml | 359 ++++ .../e2e/policy-assert.yaml | 2 +- .../e2e/bad-resource.yaml | 189 +++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 230 +++ .../e2e/policy-assert.yaml | 11 + .../e2e/remediation-policy-assert.yaml | 11 + .../disallow-host-path/e2e/bad-resource.yaml | 141 ++ .../disallow-host-path/e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 6 +- .../disallow-host-path/e2e/good-resource.yaml | 104 ++ .../e2e/policy-assert.yaml | 2 +- .../e2e/remediation-policy-assert.yaml | 4 +- .../disallow-host-ports/e2e/bad-resource.yaml | 720 ++++++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 591 +++++++ .../e2e/policy-assert.yaml | 2 +- .../e2e/remediation-policy-assert.yaml | 4 +- .../e2e/bad-resource.yaml | 372 +++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 356 ++++ .../e2e/policy-assert.yaml | 11 + .../e2e/remediation-policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 294 ++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 323 ++++ .../e2e/policy-assert.yaml | 2 +- .../e2e/remediation-policy-assert.yaml | 11 + .../disallow-proc-mount/deployment.yaml | 2 - .../disallow-proc-mount/e2e/bad-resource.yaml | 294 ++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 323 ++++ .../e2e/policy-assert.yaml | 11 + .../e2e/remediation-policy-assert.yaml | 11 + .../disallow-selinux/e2e/bad-resource.yaml | 1450 +++++++++++++++++ .../disallow-selinux/e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 6 +- .../disallow-selinux/e2e/good-resource.yaml | 1439 ++++++++++++++++ .../disallow-selinux}/e2e/policy-assert.yaml | 2 +- .../e2e/bad-resource.yaml | 52 + .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 142 ++ .../e2e/policy-assert.yaml | 2 +- .../restrict-seccomp/e2e/bad-resource.yaml | 429 +++++ .../restrict-seccomp/e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 6 +- .../restrict-seccomp/e2e/good-resource.yaml | 647 ++++++++ .../restrict-seccomp}/e2e/policy-assert.yaml | 2 +- .../restrict-sysctls/e2e/bad-resource.yaml | 117 ++ .../restrict-sysctls/e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../restrict-sysctls/e2e/good-resource.yaml | 375 +++++ .../restrict-sysctls}/e2e/policy-assert.yaml | 2 +- .../deployment.yaml | 2 +- .../e2e/bad-resource.yaml | 1351 +++++++++++++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 434 +++++ .../e2e/policy-assert.yaml | 11 + .../e2e/remediation-policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 333 ++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 335 ++++ .../e2e/policy-assert.yaml | 11 + .../e2e/remediation-policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 330 ++++ .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 548 +++++++ .../e2e/policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 867 ++++++++++ .../e2e/chainsaw-test.yaml | 46 + .../e2e/enforce-policy-assert.yaml | 6 +- .../e2e/good-resource.yaml | 593 +++++++ .../e2e/policy-assert.yaml | 11 + .../e2e/remediation-policy-assert.yaml | 4 +- .../e2e/bad-resource.yaml | 429 +++++ .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 653 ++++++++ .../e2e/policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 1320 +++++++++++++++ .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 608 +++++++ .../e2e/policy-assert.yaml | 11 + .../e2e/chainsaw-test.yaml | 21 + .../disable-automount-sa-token/e2e/ns.yaml | 2 +- .../e2e/policy-assert.yaml | 6 + .../e2e/sa-not-patched.yaml | 6 + .../e2e/sa-patched.yaml | 6 + .../disable-automount-sa-token/e2e/sa.yaml | 5 + .../e2e/bad-resource.yaml | 68 + .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 69 + .../e2e/policy-assert.yaml | 2 +- .../e2e/bad-resource.yaml | 67 + .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 77 + .../e2e/policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 20 + .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 20 + .../e2e/policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 89 + .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 47 + .../e2e/policy-assert.yaml | 11 + .../e2e/bad-resource.yaml | 65 + .../e2e/chainsaw-test.yaml | 24 + .../e2e/enforce-policy-assert.yaml | 11 + .../e2e/good-resource.yaml | 95 ++ .../e2e/policy-assert.yaml | 11 + 248 files changed, 19059 insertions(+), 2519 deletions(-) create mode 100644 .chainsaw-config.yaml create mode 100644 .github/workflows/chainsaw-e2e.yaml delete mode 100644 .github/workflows/e2e.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml delete mode 100644 best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml delete mode 100644 best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/01-policy.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/02-enforce.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/05-manifests.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/99-delete.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/deploy-default.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/ds-default.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/good-resources.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/job-default.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/pod-default.yaml delete mode 100644 best-practices/disallow_default_namespace/e2e/ss-default.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/01-policy.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/02-enforce.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/04-manifests.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/99-delete.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml delete mode 100644 best-practices/disallow_latest_tag/e2e/good-pod.yaml delete mode 100644 best-practices/require_drop_all/e2e/01-policy.yaml delete mode 100644 best-practices/require_drop_all/e2e/02-enforce.yaml delete mode 100644 best-practices/require_drop_all/e2e/04-manifests.yaml delete mode 100644 best-practices/require_drop_all/e2e/99-delete.yaml delete mode 100644 best-practices/require_drop_all/e2e/bad-pod-containers.yaml delete mode 100644 best-practices/require_drop_all/e2e/bad-pod-corner.yaml delete mode 100644 best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml delete mode 100644 best-practices/require_drop_all/e2e/bad-podcontrollers.yaml delete mode 100644 best-practices/require_drop_all/e2e/good-pod.yaml delete mode 100644 best-practices/require_drop_all/e2e/good-podcontrollers.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml delete mode 100644 best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml delete mode 100644 best-practices/require_labels/e2e/01-policy.yaml delete mode 100644 best-practices/require_labels/e2e/02-enforce.yaml delete mode 100644 best-practices/require_labels/e2e/04-manifests.yaml delete mode 100644 best-practices/require_labels/e2e/99-delete.yaml delete mode 100644 best-practices/require_labels/e2e/bad-pod-nolabel.yaml delete mode 100644 best-practices/require_labels/e2e/bad-pod-somelabel.yaml delete mode 100644 best-practices/require_labels/e2e/bad-podcontrollers.yaml delete mode 100644 best-practices/require_labels/e2e/good-podcontrollers.yaml delete mode 100644 best-practices/require_labels/e2e/good-pods.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/01-policy.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/02-enforce.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/04-manifests.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/99-delete.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/good-pods.yaml delete mode 100644 best-practices/require_pod_requests_limits/e2e/policy-assert.yaml delete mode 100644 best-practices/require_probes/e2e/01-policy.yaml delete mode 100644 best-practices/require_probes/e2e/02-enforce.yaml delete mode 100644 best-practices/require_probes/e2e/03-enforce-policy-assert.yaml delete mode 100644 best-practices/require_probes/e2e/04-manifests.yaml delete mode 100644 best-practices/require_probes/e2e/05-pod-update.yaml delete mode 100644 best-practices/require_probes/e2e/99-delete.yaml delete mode 100644 best-practices/require_probes/e2e/bad-pod-notall.yaml delete mode 100644 best-practices/require_probes/e2e/bad-pod-nothing.yaml delete mode 100644 best-practices/require_probes/e2e/bad-pod-update.yaml delete mode 100644 best-practices/require_probes/e2e/bad-podcontrollers.yaml delete mode 100644 best-practices/require_probes/e2e/good-podcontrollers.yaml delete mode 100644 best-practices/require_probes/e2e/good-pods.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/01-policy.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/02-enforce.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/04-manifests.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/99-delete.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml delete mode 100644 best-practices/require_ro_rootfs/e2e/good-pods.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/01-policy.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/02-enforce.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/04-manifests.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/99-delete.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/good-services.yaml delete mode 100644 best-practices/restrict-service-external-ips/e2e/policy-assert.yaml delete mode 100644 best-practices/restrict_node_port/e2e/01-policy.yaml delete mode 100644 best-practices/restrict_node_port/e2e/02-enforce.yaml delete mode 100644 best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml delete mode 100644 best-practices/restrict_node_port/e2e/04-manifests.yaml delete mode 100644 best-practices/restrict_node_port/e2e/99-delete.yaml delete mode 100644 best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml delete mode 100644 best-practices/restrict_node_port/e2e/good-services.yaml delete mode 100644 kuttl-test.yaml create mode 100644 pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml rename best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml => pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml (60%) create mode 100644 pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml rename {best-practices/require_drop_all => pod-security/baseline/disallow-capabilities}/e2e/policy-assert.yaml (85%) create mode 100644 pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml create mode 100644 pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml create mode 100644 pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml rename best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml => pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml (61%) create mode 100644 pod-security/baseline/disallow-host-path/e2e/good-resource.yaml rename {best-practices/require_probes => pod-security/baseline/disallow-host-path}/e2e/policy-assert.yaml (86%) rename best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml => pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml (66%) create mode 100644 pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml rename {best-practices/disallow_latest_tag => pod-security/baseline/disallow-host-ports}/e2e/policy-assert.yaml (86%) rename best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml => pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml (66%) create mode 100644 pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-host-process/e2e/good-resource.yaml create mode 100644 pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml create mode 100644 pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml rename {best-practices/disallow_cri_sock_mount => pod-security/baseline/disallow-privileged-containers}/e2e/policy-assert.yaml (81%) create mode 100644 pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml create mode 100644 pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml create mode 100644 pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml rename best-practices/require_ro_rootfs/e2e/policy-assert.yaml => pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml (62%) create mode 100644 pod-security/baseline/disallow-selinux/e2e/good-resource.yaml rename {best-practices/require_drop_cap_net_raw => pod-security/baseline/disallow-selinux}/e2e/policy-assert.yaml (87%) create mode 100644 pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml rename {best-practices/disallow_default_namespace => pod-security/baseline/restrict-apparmor-profiles}/e2e/policy-assert.yaml (83%) create mode 100644 pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml rename best-practices/require_labels/e2e/03-enforce-policy-assert.yaml => pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml (62%) create mode 100644 pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml rename {best-practices/require_labels => pod-security/baseline/restrict-seccomp}/e2e/policy-assert.yaml (87%) create mode 100644 pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml create mode 100644 pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml create mode 100644 pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml rename {best-practices/restrict_node_port => pod-security/baseline/restrict-sysctls}/e2e/policy-assert.yaml (87%) create mode 100644 pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml create mode 100644 pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml create mode 100644 pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml create mode 100644 pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml create mode 100644 pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml create mode 100644 pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml create mode 100644 pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml create mode 100644 pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml create mode 100644 pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml create mode 100644 pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml create mode 100644 pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml create mode 100644 pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml create mode 100644 pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml create mode 100644 pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml create mode 100644 pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml create mode 100644 pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml rename best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml => pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml (60%) create mode 100644 pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml create mode 100644 pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml rename best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml => pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml (65%) create mode 100644 pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml create mode 100644 pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml create mode 100644 pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml create mode 100644 pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml create mode 100644 pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml create mode 100644 pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml create mode 100644 pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml create mode 100644 pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml create mode 100644 pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml create mode 100644 rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml rename best-practices/disallow_default_namespace/e2e/04-ns.yaml => rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml (56%) create mode 100644 rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml create mode 100644 rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml create mode 100644 rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml create mode 100644 rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml create mode 100644 rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml create mode 100644 rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml rename {best-practices/disallow-empty-ingress-host => rbac-best-practices/restrict-automount-sa-token}/e2e/policy-assert.yaml (82%) create mode 100644 rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml create mode 100644 rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml create mode 100644 rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml create mode 100644 rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml create mode 100644 rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml create mode 100644 rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml create mode 100644 rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml create mode 100644 rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml create mode 100644 rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml create mode 100644 rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml create mode 100644 rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml create mode 100644 rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml diff --git a/.chainsaw-config.yaml b/.chainsaw-config.yaml new file mode 100644 index 00000000..9eb74c1a --- /dev/null +++ b/.chainsaw-config.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + creationTimestamp: null + name: configuration +spec: + parallel: 1 + timeouts: + apply: 1m30s + assert: 1m30s + cleanup: 2m30s + delete: 1m30s + error: 1m30s + exec: 1m30s + fullName: true + forceTerminationGracePeriod: 5s + delayBeforeCleanup: 3s diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml new file mode 100644 index 00000000..b9628657 --- /dev/null +++ b/.github/workflows/chainsaw-e2e.yaml @@ -0,0 +1,48 @@ +name: ChainSaw Test +on: + push: + branches: + - 'main' + - 'chainsaw-test' + # this action needs to read GH secret + # hence prevents executing on PRs from forks + # disabling running on PRs until we find a workaround for this + pull_request: + branches: + - 'main' + - 'chainsaw-test' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + run-e2etest: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + k8s-version: [v1.28.0, v1.27.3, v1.26.3, v1.25.8, v1.24.12, v1.23.17] + n4k-chart-version: [1.6.11, 3.0.9] + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Prepare environment + run: K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster + + - name: Install kyverno + run: | + N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno + + - name: Check Kyverno status + run: make wait-for-kyverno + + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@6ab03ccb2c8309b5f494fcbc78ec3a2d80cfabee # v0.1.0 + + - name: Test with Chainsaw + run: make test-chainsaw diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml deleted file mode 100644 index 15ff7d86..00000000 --- a/.github/workflows/e2e.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: Kuttl Test - -on: - push: - branches: - - 'main' - # this action needs to read GH secret - # hence prevents executing on PRs from forks - # disabling running on PRs until we find a workaround for this - pull_request: - branches: - - 'main' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - run-e2etest: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Prepare environment - run: make kind-create-cluster - - name: Install kyverno - run: | - N4K_LICENSE_KEY=${{ secrets.N4K_CI_LICENSE }} make kind-deploy-kyverno - - name: Check Kyverno status - run: make wait-for-kyverno - - name: Test with kuttl - run: make test-kuttl diff --git a/Makefile b/Makefile index c7aace60..881478b0 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,16 @@ .DEFAULT_GOAL: build-all K8S_VERSION ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-) -KIND_IMAGE ?= kindest/node:v1.25.2 +KIND_IMAGE ?= kindest/node:$(K8S_VERSION) KIND_NAME ?= kind USE_CONFIG ?= standard TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind -KIND_VERSION := v0.17.0 +KIND_VERSION := v0.20.0 HELM := $(TOOLS_DIR)/helm HELM_VERSION := v3.10.1 -KUTTL := $(TOOLS_DIR)/kubectl-kuttl -KUTTL_VERSION := v0.0.0-20230108220859-ef8d83c89156 -TOOLS := $(KIND) $(HELM) $(KUTTL) +TOOLS := $(KIND) $(HELM) $(KIND): @echo Install kind... >&2 @@ -22,10 +20,6 @@ $(HELM): @echo Install helm... >&2 @GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION) -$(KUTTL): - @echo Install kuttl... >&2 - @GOBIN=$(TOOLS_DIR) go install github.com/kyverno/kuttl/cmd/kubectl-kuttl@$(KUTTL_VERSION) - .PHONY: install-tools install-tools: $(TOOLS) @@ -34,20 +28,20 @@ clean-tools: @echo Clean tools... >&2 @rm -rf $(TOOLS_DIR) -############### -# KUTTL TESTS # -############### +################## +# CHAINSAW TESTS # +################## -.PHONY: test-kuttl -test-kuttl: $(KUTTL) ## Run kuttl tests - @echo Running kuttl tests... >&2 - @$(KUTTL) test --config kuttl-test.yaml +.PHONY: test-chainsaw +test-chainsaw: + @echo Running chainsaw tests... >&2 + @chainsaw test --config .chainsaw-config.yaml ## Create kind cluster .PHONY: kind-create-cluster kind-create-cluster: $(KIND) @echo Create kind cluster... >&2 - @$(KIND) create cluster --name $(KIND_NAME) + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) ## Delete kind cluster .PHONY: kind-delete-cluster @@ -60,13 +54,14 @@ kind-delete-cluster: $(KIND) kind-deploy-kyverno: $(HELM) @echo Install kyverno chart... >&2 @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts - @$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno + @$(HELM) repo update + @$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) ## Check Kyverno status .PHONY: wait-for-kyverno wait-for-kyverno: @echo Check kyverno status to be ready... >&2 - @kubectl wait --namespace kyverno --for=condition=ready pod --all --timeout=120s + @kubectl wait --namespace kyverno --for=condition=ready pod --all --timeout=180s ##################### # Kyverno CLI TESTS # diff --git a/best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml b/best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml deleted file mode 100644 index 09a6287b..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_empty_ingress_host.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml b/best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml deleted file mode 100644 index 38bafd8b..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_empty_ingress_host.yaml | kubectl apply -f - diff --git a/best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml b/best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml deleted file mode 100644 index baaf463d..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-ingress.yaml - shouldFail: false -- file: no-host-ingress.yaml - shouldFail: true -- file: no-host-fail-first.yaml - shouldFail: true -- file: no-host-success-first.yaml - shouldFail: true diff --git a/best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml b/best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml deleted file mode 100644 index a23ec656..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-empty-ingress-host diff --git a/best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml b/best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml deleted file mode 100644 index 2be70167..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-wildcard-host -spec: - rules: - - host: "foo.bar.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "*.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 diff --git a/best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml b/best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml deleted file mode 100644 index b069cd2d..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-host -spec: - rules: - - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "bar.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 diff --git a/best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml b/best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml deleted file mode 100644 index 76640b94..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minimal-ingress - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 diff --git a/best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml b/best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml deleted file mode 100644 index d2de72ab..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-host -spec: - rules: - - host: "bar.foo.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 diff --git a/best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml b/best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml deleted file mode 100644 index e25d199f..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_cri_sock_mount.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml b/best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml deleted file mode 100644 index a1e3e324..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_cri_sock_mount.yaml | kubectl apply -f - diff --git a/best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml b/best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml deleted file mode 100644 index 323f86bd..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: pod-containerd-sock.yaml - shouldFail: true -- file: pod-docker-sock.yaml - shouldFail: true -- file: pod-crio-sock.yaml - shouldFail: true -- file: pod-emptydir-vol.yaml - shouldFail: false -- file: pod-no-volumes.yaml - shouldFail: false diff --git a/best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml b/best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml deleted file mode 100644 index c25cfce8..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-container-sock-mounts diff --git a/best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml b/best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml deleted file mode 100644 index 18e33eb1..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: data - hostPath: - path: /data diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml deleted file mode 100644 index 1baddfe7..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-containerd-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/containerd.sock diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml deleted file mode 100644 index b25d5268..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-crio-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/crio.sock diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml deleted file mode 100644 index 5f45189e..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-docker-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/docker.sock diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml deleted file mode 100644 index b63c6acb..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-emptydir-volume -spec: - containers: - - name: busybox - image: busybox:1.35 - command: - - sleep - - "3600" - volumes: - - name: mydir - emptyDir: {} diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml deleted file mode 100644 index 4cdbe80c..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-no-volumes -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.35 - command: - - sleep - - "3600" diff --git a/best-practices/disallow_default_namespace/e2e/01-policy.yaml b/best-practices/disallow_default_namespace/e2e/01-policy.yaml deleted file mode 100644 index ff4b0362..00000000 --- a/best-practices/disallow_default_namespace/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_default_namespace.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow_default_namespace/e2e/02-enforce.yaml b/best-practices/disallow_default_namespace/e2e/02-enforce.yaml deleted file mode 100644 index 04401b72..00000000 --- a/best-practices/disallow_default_namespace/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_default_namespace.yaml | kubectl apply -f - diff --git a/best-practices/disallow_default_namespace/e2e/05-manifests.yaml b/best-practices/disallow_default_namespace/e2e/05-manifests.yaml deleted file mode 100644 index 25df973d..00000000 --- a/best-practices/disallow_default_namespace/e2e/05-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-resources.yaml - shouldFail: false -- file: pod-default.yaml - shouldFail: true -- file: ds-default.yaml - shouldFail: true -- file: job-default.yaml - shouldFail: true -- file: ss-default.yaml - shouldFail: true -- file: deploy-default.yaml - shouldFail: true diff --git a/best-practices/disallow_default_namespace/e2e/99-delete.yaml b/best-practices/disallow_default_namespace/e2e/99-delete.yaml deleted file mode 100644 index deedb869..00000000 --- a/best-practices/disallow_default_namespace/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-default-namespace diff --git a/best-practices/disallow_default_namespace/e2e/deploy-default.yaml b/best-practices/disallow_default_namespace/e2e/deploy-default.yaml deleted file mode 100644 index 6b10f5c2..00000000 --- a/best-practices/disallow_default_namespace/e2e/deploy-default.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: bad-busybox - namespace: default -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/ds-default.yaml b/best-practices/disallow_default_namespace/e2e/ds-default.yaml deleted file mode 100644 index 4bd03337..00000000 --- a/best-practices/disallow_default_namespace/e2e/ds-default.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: bad-daemonset - namespace: default -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/good-resources.yaml b/best-practices/disallow_default_namespace/e2e/good-resources.yaml deleted file mode 100644 index cc79974f..00000000 --- a/best-practices/disallow_default_namespace/e2e/good-resources.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: not-default-ns -spec: - containers: - - name: busybox - image: "busybox:v1.35" - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: busybox - namespace: not-default-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: good-daemonset - namespace: not-default-ns -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: good-job - namespace: not-default-ns -spec: - template: - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" - restartPolicy: Never ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-statefulset - namespace: not-default-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: "busyservice" - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/job-default.yaml b/best-practices/disallow_default_namespace/e2e/job-default.yaml deleted file mode 100644 index 31283b5a..00000000 --- a/best-practices/disallow_default_namespace/e2e/job-default.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: bad-job - namespace: default -spec: - template: - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" - restartPolicy: Never diff --git a/best-practices/disallow_default_namespace/e2e/pod-default.yaml b/best-practices/disallow_default_namespace/e2e/pod-default.yaml deleted file mode 100644 index 0046ecb1..00000000 --- a/best-practices/disallow_default_namespace/e2e/pod-default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: default -spec: - containers: - - name: busybox - image: "busybox:v1.35" - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/ss-default.yaml b/best-practices/disallow_default_namespace/e2e/ss-default.yaml deleted file mode 100644 index 9c9601f3..00000000 --- a/best-practices/disallow_default_namespace/e2e/ss-default.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-statefulset - namespace: default -spec: - selector: - matchLabels: - app: busybox - serviceName: "busyservice" - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_latest_tag/e2e/01-policy.yaml b/best-practices/disallow_latest_tag/e2e/01-policy.yaml deleted file mode 100644 index 438b96f1..00000000 --- a/best-practices/disallow_latest_tag/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_latest_tag.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow_latest_tag/e2e/02-enforce.yaml b/best-practices/disallow_latest_tag/e2e/02-enforce.yaml deleted file mode 100644 index 15c83f00..00000000 --- a/best-practices/disallow_latest_tag/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_latest_tag.yaml | kubectl apply -f - diff --git a/best-practices/disallow_latest_tag/e2e/04-manifests.yaml b/best-practices/disallow_latest_tag/e2e/04-manifests.yaml deleted file mode 100644 index 08db99a2..00000000 --- a/best-practices/disallow_latest_tag/e2e/04-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: bad-pod-latest-fail-first.yaml - shouldFail: true -- file: bad-pod-latest-success-first.yaml - shouldFail: true -- file: bad-pod-no-tag.yaml - shouldFail: true diff --git a/best-practices/disallow_latest_tag/e2e/99-delete.yaml b/best-practices/disallow_latest_tag/e2e/99-delete.yaml deleted file mode 100644 index a4aa5b4c..00000000 --- a/best-practices/disallow_latest_tag/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-latest-tag diff --git a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml b/best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml deleted file mode 100644 index 8747e486..00000000 --- a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-latest -spec: - containers: - - name: busybox - image: busybox:latest - - name: nginx - image: nginx:1.35 diff --git a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml b/best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml deleted file mode 100644 index 34ca06eb..00000000 --- a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-latest -spec: - containers: - - name: nginx - image: nginx:1.35 - - name: busybox - image: busybox:latest diff --git a/best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml b/best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml deleted file mode 100644 index 4b925e67..00000000 --- a/best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: nginx - image: nginx:1.35 - - name: busybox - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx:latest diff --git a/best-practices/disallow_latest_tag/e2e/good-pod.yaml b/best-practices/disallow_latest_tag/e2e/good-pod.yaml deleted file mode 100644 index 142b4d84..00000000 --- a/best-practices/disallow_latest_tag/e2e/good-pod.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod-ht -spec: - containers: - - name: busybox - image: busybox:v1.35 diff --git a/best-practices/require_drop_all/e2e/01-policy.yaml b/best-practices/require_drop_all/e2e/01-policy.yaml deleted file mode 100644 index d6c06215..00000000 --- a/best-practices/require_drop_all/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_drop_all.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_drop_all/e2e/02-enforce.yaml b/best-practices/require_drop_all/e2e/02-enforce.yaml deleted file mode 100644 index 4893266a..00000000 --- a/best-practices/require_drop_all/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_drop_all.yaml | kubectl apply -f - diff --git a/best-practices/require_drop_all/e2e/04-manifests.yaml b/best-practices/require_drop_all/e2e/04-manifests.yaml deleted file mode 100644 index 4e786966..00000000 --- a/best-practices/require_drop_all/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-containers.yaml - shouldFail: true -- file: bad-pod-initcontainers.yaml - shouldFail: true -- file: bad-pod-corner.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_drop_all/e2e/99-delete.yaml b/best-practices/require_drop_all/e2e/99-delete.yaml deleted file mode 100644 index 9bd68940..00000000 --- a/best-practices/require_drop_all/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: drop-all-capabilities diff --git a/best-practices/require_drop_all/e2e/bad-pod-containers.yaml b/best-practices/require_drop_all/e2e/bad-pod-containers.yaml deleted file mode 100644 index 8843ab22..00000000 --- a/best-practices/require_drop_all/e2e/bad-pod-containers.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities-again - image: busybox:1.35 - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_all/e2e/bad-pod-corner.yaml b/best-practices/require_drop_all/e2e/bad-pod-corner.yaml deleted file mode 100644 index 370608f8..00000000 --- a/best-practices/require_drop_all/e2e/bad-pod-corner.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ["CAP_NET_RAW"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - containers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: init-again - image: busybox:1.35 diff --git a/best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml b/best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml deleted file mode 100644 index c6a0e3ec..00000000 --- a/best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_all/e2e/bad-podcontrollers.yaml b/best-practices/require_drop_all/e2e/bad-podcontrollers.yaml deleted file mode 100644 index d5e93a82..00000000 --- a/best-practices/require_drop_all/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,153 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 diff --git a/best-practices/require_drop_all/e2e/good-pod.yaml b/best-practices/require_drop_all/e2e/good-pod.yaml deleted file mode 100644 index 36672e51..00000000 --- a/best-practices/require_drop_all/e2e/good-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_all/e2e/good-podcontrollers.yaml b/best-practices/require_drop_all/e2e/good-podcontrollers.yaml deleted file mode 100644 index ba02364a..00000000 --- a/best-practices/require_drop_all/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml b/best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml deleted file mode 100644 index ffe7eda0..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_drop_cap_net_raw.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml b/best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml deleted file mode 100644 index 88bfa5d5..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_drop_cap_net_raw.yaml | kubectl apply -f - diff --git a/best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml b/best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml deleted file mode 100644 index 4e786966..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-containers.yaml - shouldFail: true -- file: bad-pod-initcontainers.yaml - shouldFail: true -- file: bad-pod-corner.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml b/best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml deleted file mode 100644 index 65e3f7b5..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: drop-cap-net-raw diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml deleted file mode 100644 index 98055082..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-bad01 -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-bad02 -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities-again - image: busybox:1.35 - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml deleted file mode 100644 index 9834e636..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - containers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: init-again - image: busybox:1.35 diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml deleted file mode 100644 index dba8a40b..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 7bf7d963..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,153 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 diff --git a/best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml b/best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml deleted file mode 100644 index 0063c7c0..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-good -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW diff --git a/best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml b/best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml deleted file mode 100644 index ebe05d7f..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropcapnetraw-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropcapnetraw-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW diff --git a/best-practices/require_labels/e2e/01-policy.yaml b/best-practices/require_labels/e2e/01-policy.yaml deleted file mode 100644 index 9694930f..00000000 --- a/best-practices/require_labels/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_labels.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_labels/e2e/02-enforce.yaml b/best-practices/require_labels/e2e/02-enforce.yaml deleted file mode 100644 index b04c0d7b..00000000 --- a/best-practices/require_labels/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_labels.yaml | kubectl apply -f - diff --git a/best-practices/require_labels/e2e/04-manifests.yaml b/best-practices/require_labels/e2e/04-manifests.yaml deleted file mode 100644 index 0a513c98..00000000 --- a/best-practices/require_labels/e2e/04-manifests.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nolabel.yaml - shouldFail: true -- file: bad-pod-somelabel.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_labels/e2e/99-delete.yaml b/best-practices/require_labels/e2e/99-delete.yaml deleted file mode 100644 index 36ddfef8..00000000 --- a/best-practices/require_labels/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-labels diff --git a/best-practices/require_labels/e2e/bad-pod-nolabel.yaml b/best-practices/require_labels/e2e/bad-pod-nolabel.yaml deleted file mode 100644 index a1427ea3..00000000 --- a/best-practices/require_labels/e2e/bad-pod-nolabel.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nolabel -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/bad-pod-somelabel.yaml b/best-practices/require_labels/e2e/bad-pod-somelabel.yaml deleted file mode 100644 index b01774b6..00000000 --- a/best-practices/require_labels/e2e/bad-pod-somelabel.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-somelabel - labels: - my.io/foo: bar -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/bad-podcontrollers.yaml b/best-practices/require_labels/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 732f37c1..00000000 --- a/best-practices/require_labels/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqlabels-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqlabels-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/good-podcontrollers.yaml b/best-practices/require_labels/e2e/good-podcontrollers.yaml deleted file mode 100644 index 7d3866a5..00000000 --- a/best-practices/require_labels/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqlabels-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - app.kubernetes.io/name: bar - template: - metadata: - labels: - foo: bar - app.kubernetes.io/name: bar - spec: - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqlabels-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - app.kubernetes.io/name: bar - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/good-pods.yaml b/best-practices/require_labels/e2e/good-pods.yaml deleted file mode 100644 index 0df55f78..00000000 --- a/best-practices/require_labels/e2e/good-pods.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-label - labels: - app.kubernetes.io/name: busybox -spec: - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-label - labels: - foo: bar - app.kubernetes.io/name: busybox -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_pod_requests_limits/e2e/01-policy.yaml b/best-practices/require_pod_requests_limits/e2e/01-policy.yaml deleted file mode 100644 index 7d85d601..00000000 --- a/best-practices/require_pod_requests_limits/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_pod_requests_limits.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_pod_requests_limits/e2e/02-enforce.yaml b/best-practices/require_pod_requests_limits/e2e/02-enforce.yaml deleted file mode 100644 index 36a6a593..00000000 --- a/best-practices/require_pod_requests_limits/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_pod_requests_limits.yaml | kubectl apply -f - diff --git a/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml b/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index b548f413..00000000 --- a/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits -spec: - validationFailureAction: enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require_pod_requests_limits/e2e/04-manifests.yaml b/best-practices/require_pod_requests_limits/e2e/04-manifests.yaml deleted file mode 100644 index 3f4a3cc0..00000000 --- a/best-practices/require_pod_requests_limits/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nolimit.yaml - shouldFail: true -- file: bad-pod-nores.yaml - shouldFail: true -- file: bad-pod-nothing.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_pod_requests_limits/e2e/99-delete.yaml b/best-practices/require_pod_requests_limits/e2e/99-delete.yaml deleted file mode 100644 index 74621378..00000000 --- a/best-practices/require_pod_requests_limits/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-requests-limits diff --git a/best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml b/best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml deleted file mode 100644 index d8d9045f..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nolimit - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" diff --git a/best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml b/best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml deleted file mode 100644 index 7d694f31..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nores - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox-again - image: busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nores - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" - - name: busybox-again - image: busybox:1.35 diff --git a/best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml b/best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml deleted file mode 100644 index 7baca6ba..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml +++ /dev/null @@ -1,11 +0,0 @@ - -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nothing - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:v1.35 diff --git a/best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml b/best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml deleted file mode 100644 index f0fbe1b7..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqpodlimits-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqpodlimits-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" diff --git a/best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml b/best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml deleted file mode 100644 index a94b57bf..00000000 --- a/best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqpodlimits-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqpodlimits-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" diff --git a/best-practices/require_pod_requests_limits/e2e/good-pods.yaml b/best-practices/require_pod_requests_limits/e2e/good-pods.yaml deleted file mode 100644 index 50f8779b..00000000 --- a/best-practices/require_pod_requests_limits/e2e/good-pods.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" diff --git a/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml b/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml deleted file mode 100644 index 1da12606..00000000 --- a/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits -spec: - validationFailureAction: audit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require_probes/e2e/01-policy.yaml b/best-practices/require_probes/e2e/01-policy.yaml deleted file mode 100644 index 164f5832..00000000 --- a/best-practices/require_probes/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_probes.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_probes/e2e/02-enforce.yaml b/best-practices/require_probes/e2e/02-enforce.yaml deleted file mode 100644 index b0da21ec..00000000 --- a/best-practices/require_probes/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_probes.yaml | kubectl apply -f - diff --git a/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml b/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index 1651a7fe..00000000 --- a/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-pod-probes -spec: - validationFailureAction: enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require_probes/e2e/04-manifests.yaml b/best-practices/require_probes/e2e/04-manifests.yaml deleted file mode 100644 index 38893873..00000000 --- a/best-practices/require_probes/e2e/04-manifests.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nothing.yaml - shouldFail: true -- file: bad-pod-notall.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_probes/e2e/05-pod-update.yaml b/best-practices/require_probes/e2e/05-pod-update.yaml deleted file mode 100644 index c177f63e..00000000 --- a/best-practices/require_probes/e2e/05-pod-update.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: bad-pod-update.yaml - shouldFail: true diff --git a/best-practices/require_probes/e2e/99-delete.yaml b/best-practices/require_probes/e2e/99-delete.yaml deleted file mode 100644 index 446c4a65..00000000 --- a/best-practices/require_probes/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-pod-probes diff --git a/best-practices/require_probes/e2e/bad-pod-notall.yaml b/best-practices/require_probes/e2e/bad-pod-notall.yaml deleted file mode 100644 index 469ce444..00000000 --- a/best-practices/require_probes/e2e/bad-pod-notall.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - - name: busybox - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox - image: busybox:1.35 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 diff --git a/best-practices/require_probes/e2e/bad-pod-nothing.yaml b/best-practices/require_probes/e2e/bad-pod-nothing.yaml deleted file mode 100644 index 249e3954..00000000 --- a/best-practices/require_probes/e2e/bad-pod-nothing.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_probes/e2e/bad-pod-update.yaml b/best-practices/require_probes/e2e/bad-pod-update.yaml deleted file mode 100644 index 22275d33..00000000 --- a/best-practices/require_probes/e2e/bad-pod-update.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: evil-box - image: busybox:1.35 diff --git a/best-practices/require_probes/e2e/bad-podcontrollers.yaml b/best-practices/require_probes/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 1a2f753f..00000000 --- a/best-practices/require_probes/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqprobes-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: busybox:1.35 diff --git a/best-practices/require_probes/e2e/good-podcontrollers.yaml b/best-practices/require_probes/e2e/good-podcontrollers.yaml deleted file mode 100644 index ee2bbaaa..00000000 --- a/best-practices/require_probes/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqprobes-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: busybox:1.35 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 diff --git a/best-practices/require_probes/e2e/good-pods.yaml b/best-practices/require_probes/e2e/good-pods.yaml deleted file mode 100644 index 61faad23..00000000 --- a/best-practices/require_probes/e2e/good-pods.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: busybox:1.35 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - startupProbe: - grpc: - port: 8888 diff --git a/best-practices/require_ro_rootfs/e2e/01-policy.yaml b/best-practices/require_ro_rootfs/e2e/01-policy.yaml deleted file mode 100644 index f290dbe4..00000000 --- a/best-practices/require_ro_rootfs/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_ro_rootfs.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_ro_rootfs/e2e/02-enforce.yaml b/best-practices/require_ro_rootfs/e2e/02-enforce.yaml deleted file mode 100644 index a2d15479..00000000 --- a/best-practices/require_ro_rootfs/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_ro_rootfs.yaml | kubectl apply -f - diff --git a/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml b/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index eae542af..00000000 --- a/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ro-rootfs -spec: - validationFailureAction: enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require_ro_rootfs/e2e/04-manifests.yaml b/best-practices/require_ro_rootfs/e2e/04-manifests.yaml deleted file mode 100644 index 8e467e3b..00000000 --- a/best-practices/require_ro_rootfs/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nothing.yaml - shouldFail: true -- file: bad-pod-notall.yaml - shouldFail: true -- file: bad-pod-false.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_ro_rootfs/e2e/99-delete.yaml b/best-practices/require_ro_rootfs/e2e/99-delete.yaml deleted file mode 100644 index 8c4b009d..00000000 --- a/best-practices/require_ro_rootfs/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-ro-rootfs diff --git a/best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml b/best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml deleted file mode 100644 index 7f8620cc..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: false diff --git a/best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml b/best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml deleted file mode 100644 index 247753ac..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml b/best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml deleted file mode 100644 index 3ec7fbdf..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml b/best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 2514c155..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqro-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true diff --git a/best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml b/best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml deleted file mode 100644 index e9b4520c..00000000 --- a/best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqprobes-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true diff --git a/best-practices/require_ro_rootfs/e2e/good-pods.yaml b/best-practices/require_ro_rootfs/e2e/good-pods.yaml deleted file mode 100644 index 7374c2e9..00000000 --- a/best-practices/require_ro_rootfs/e2e/good-pods.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true diff --git a/best-practices/restrict-service-external-ips/e2e/01-policy.yaml b/best-practices/restrict-service-external-ips/e2e/01-policy.yaml deleted file mode 100644 index a007c62c..00000000 --- a/best-practices/restrict-service-external-ips/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../restrict-service-external-ips.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/restrict-service-external-ips/e2e/02-enforce.yaml b/best-practices/restrict-service-external-ips/e2e/02-enforce.yaml deleted file mode 100644 index a734e53c..00000000 --- a/best-practices/restrict-service-external-ips/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-service-external-ips.yaml | kubectl apply -f - diff --git a/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml b/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index eee63ac5..00000000 --- a/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips -spec: - validationFailureAction: enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict-service-external-ips/e2e/04-manifests.yaml b/best-practices/restrict-service-external-ips/e2e/04-manifests.yaml deleted file mode 100644 index bdb861ee..00000000 --- a/best-practices/restrict-service-external-ips/e2e/04-manifests.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-services.yaml - shouldFail: false -- file: bad-service-oneip.yaml - shouldFail: true -- file: bad-service-twoeip.yaml - shouldFail: true diff --git a/best-practices/restrict-service-external-ips/e2e/99-delete.yaml b/best-practices/restrict-service-external-ips/e2e/99-delete.yaml deleted file mode 100644 index 6a60e4a3..00000000 --- a/best-practices/restrict-service-external-ips/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-external-ips diff --git a/best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml b/best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml deleted file mode 100644 index fff25953..00000000 --- a/best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 diff --git a/best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml b/best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml deleted file mode 100644 index 3935bcac..00000000 --- a/best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice02-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 - - 37.10.11.53 diff --git a/best-practices/restrict-service-external-ips/e2e/good-services.yaml b/best-practices/restrict-service-external-ips/e2e/good-services.yaml deleted file mode 100644 index 010674ea..00000000 --- a/best-practices/restrict-service-external-ips/e2e/good-services.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 diff --git a/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml b/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml deleted file mode 100644 index 28aadd5c..00000000 --- a/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips -spec: - validationFailureAction: audit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict_node_port/e2e/01-policy.yaml b/best-practices/restrict_node_port/e2e/01-policy.yaml deleted file mode 100644 index eb3e75aa..00000000 --- a/best-practices/restrict_node_port/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../restrict_node_port.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/restrict_node_port/e2e/02-enforce.yaml b/best-practices/restrict_node_port/e2e/02-enforce.yaml deleted file mode 100644 index bd97c9b7..00000000 --- a/best-practices/restrict_node_port/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict_node_port.yaml | kubectl apply -f - diff --git a/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml b/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index 9625271e..00000000 --- a/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-nodeport -spec: - validationFailureAction: enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict_node_port/e2e/04-manifests.yaml b/best-practices/restrict_node_port/e2e/04-manifests.yaml deleted file mode 100644 index 5ad5875f..00000000 --- a/best-practices/restrict_node_port/e2e/04-manifests.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-services.yaml - shouldFail: false -- file: bad-service-nodeport.yaml - shouldFail: true diff --git a/best-practices/restrict_node_port/e2e/99-delete.yaml b/best-practices/restrict_node_port/e2e/99-delete.yaml deleted file mode 100644 index c372736f..00000000 --- a/best-practices/restrict_node_port/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-nodeport diff --git a/best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml b/best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml deleted file mode 100644 index 4e99ea2b..00000000 --- a/best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01-np -spec: - ports: - - name: http - nodePort: 31080 - port: 80 - protocol: TCP - targetPort: 8080 - type: NodePort diff --git a/best-practices/restrict_node_port/e2e/good-services.yaml b/best-practices/restrict_node_port/e2e/good-services.yaml deleted file mode 100644 index 1acafde7..00000000 --- a/best-practices/restrict_node_port/e2e/good-services.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01-np -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: goodservice02-np -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - type: LoadBalancer diff --git a/kuttl-test.yaml b/kuttl-test.yaml deleted file mode 100644 index da371537..00000000 --- a/kuttl-test.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestSuite -testDirs: -- best-practices -startKIND: false -timeout: 90 -parallel: 1 -fullName: true diff --git a/pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml b/pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml new file mode 100644 index 00000000..63d8a5c0 --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml @@ -0,0 +1,417 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SYS_ADMIN +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SYS_ADMIN +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SYS_ADMIN diff --git a/pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..4ddcf7a2 --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-policy +spec: + steps: + - name: test-disallow-capabilities + try: + - apply: + file: ../disallow-capabilities.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml similarity index 60% rename from best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml index a990970e..0ed21cfe 100644 --- a/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag + name: disallow-capabilities spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml b/pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml new file mode 100644 index 00000000..a1b79b5c --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml @@ -0,0 +1,359 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID diff --git a/best-practices/require_drop_all/e2e/policy-assert.yaml b/pod-security/baseline/disallow-capabilities/e2e/policy-assert.yaml similarity index 85% rename from best-practices/require_drop_all/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-capabilities/e2e/policy-assert.yaml index 383fdf6f..31587fd7 100644 --- a/best-practices/require_drop_all/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-capabilities/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-all-capabilities + name: disallow-capabilities spec: validationFailureAction: audit status: diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml new file mode 100644 index 00000000..6ee5d7d8 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml @@ -0,0 +1,189 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + hostPID: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + hostIPC: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + hostPID: true + hostIPC: true + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostIPC: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: true + hostIPC: true + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostIPC: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: true + hostIPC: true + hostNetwork: true + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..a2f9a2bd --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-namespaces-policy +spec: + steps: + - name: test-disallow-host-namespaces + try: + - apply: + file: ../disallow-host-namespaces.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-namespaces.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-host-namespaces + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-namespaces + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-namespaces.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..a74a9c17 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml new file mode 100644 index 00000000..cf9d9ff7 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml @@ -0,0 +1,230 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + hostPID: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + hostIPC: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + hostPID: false + hostIPC: false + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostIPC: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: false + hostIPC: false + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostIPC: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: false + hostIPC: false + hostNetwork: false + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml new file mode 100644 index 00000000..84f4611b --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..9f847950 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-host-namespaces +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml new file mode 100644 index 00000000..75fb19f7 --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml @@ -0,0 +1,141 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} + - name: udev + hostPath: + path: /etc/udev +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} + - name: udev + hostPath: + path: /etc/udev +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} + - name: udev + hostPath: + path: /etc/udev diff --git a/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..e5fb1ccc --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-path-policy +spec: + steps: + - name: test-disallow-host-path + try: + - apply: + file: ../disallow-host-path.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-path.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-host-path + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-path + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-path.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml similarity index 61% rename from best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml index f349eb79..7c6b6fc5 100644 --- a/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-cap-net-raw + name: disallow-host-path spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-path/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-path/e2e/good-resource.yaml new file mode 100644 index 00000000..4696f979 --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/good-resource.yaml @@ -0,0 +1,104 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} diff --git a/best-practices/require_probes/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-path/e2e/policy-assert.yaml similarity index 86% rename from best-practices/require_probes/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-host-path/e2e/policy-assert.yaml index 2658fe0c..0d55bbe1 100644 --- a/best-practices/require_probes/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-host-path/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-pod-probes + name: disallow-host-path spec: validationFailureAction: audit status: diff --git a/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml similarity index 66% rename from best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml index 510b01df..b6003712 100644 --- a/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-default-namespace + name: remediate-disallow-host-path spec: - validationFailureAction: enforce + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml new file mode 100644 index 00000000..0160c967 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml @@ -0,0 +1,720 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-secure + containerPort: 4443 + hostPort: 443 + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-secure + containerPort: 4443 + hostPort: 443 + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: web-secure + containerPort: 4443 + hostPort: 443 + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..893a7b16 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-ports-policy +spec: + steps: + - name: test-disallow-host-ports + try: + - apply: + file: ../disallow-host-ports.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-ports.yaml + - assert: + file: remediation-policy-assert.yaml + - sleep: + duration: 20s + - apply: + file: ../deployment.yaml + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-host-ports + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-ports + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-ports.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..11e93dda --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml new file mode 100644 index 00000000..27867043 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml @@ -0,0 +1,591 @@ +--- +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: web-insecure + containerPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: web-insecure + containerPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: web-insecure + containerPort: 8080 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 diff --git a/best-practices/disallow_latest_tag/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-ports/e2e/policy-assert.yaml similarity index 86% rename from best-practices/disallow_latest_tag/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-host-ports/e2e/policy-assert.yaml index c9b16eb2..c27efc5a 100644 --- a/best-practices/disallow_latest_tag/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-host-ports/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag + name: disallow-host-ports spec: validationFailureAction: audit status: diff --git a/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml similarity index 66% rename from best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml index bd068f5d..4ac98bd1 100644 --- a/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-empty-ingress-host + name: remediate-disallow-host-ports spec: - validationFailureAction: enforce + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml new file mode 100644 index 00000000..76879563 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml @@ -0,0 +1,372 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true diff --git a/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..30d6a068 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-process-policy +spec: + steps: + - name: test-disallow-host-process + try: + - apply: + file: ../disallow-host-process.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-process.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-host-process + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-process + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-process.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..599d2508 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-process/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-process/e2e/good-resource.yaml new file mode 100644 index 00000000..6e331bcc --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/good-resource.yaml @@ -0,0 +1,356 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false diff --git a/pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml new file mode 100644 index 00000000..486332d6 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..79a20297 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-host-process +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml new file mode 100644 index 00000000..ebcf0582 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml @@ -0,0 +1,294 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx + securityContext: + privileged: true diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..8d09d1a5 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privileged-containers-policy +spec: + steps: + - name: test-disallow-privileged-containers + try: + - apply: + file: ../disallow-privileged-containers.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-privileged-containers.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-privileged-containers + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-privileged-containers + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-privileged-containers.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..95e08634 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privileged-containers +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml new file mode 100644 index 00000000..e4cddcd0 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml @@ -0,0 +1,323 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx + securityContext: + privileged: false diff --git a/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/policy-assert.yaml similarity index 81% rename from best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-privileged-containers/e2e/policy-assert.yaml index 47f5ae8b..3a0cba8b 100644 --- a/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-privileged-containers/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-container-sock-mounts + name: disallow-privileged-containers spec: validationFailureAction: audit status: diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..43812bdd --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-privileged-containers +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-proc-mount/deployment.yaml b/pod-security/baseline/disallow-proc-mount/deployment.yaml index de8a3737..03061c5b 100644 --- a/pod-security/baseline/disallow-proc-mount/deployment.yaml +++ b/pod-security/baseline/disallow-proc-mount/deployment.yaml @@ -40,5 +40,3 @@ spec: limits: memory: "128Mi" cpu: "500m" - - diff --git a/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml b/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml new file mode 100644 index 00000000..d86ddc28 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml @@ -0,0 +1,294 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" diff --git a/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..7f8c75a5 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-proc-mount-policy +spec: + steps: + - name: test-disallow-proc-mount + try: + - apply: + file: ../disallow-proc-mount.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-proc-mount-containers.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-proc-mount + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-proc-mount + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-proc-mount.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..e1af728c --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml b/pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml new file mode 100644 index 00000000..a482363c --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml @@ -0,0 +1,323 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default diff --git a/pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml b/pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml new file mode 100644 index 00000000..42802b0c --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..88e067c6 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-proc-mount +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml b/pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml new file mode 100644 index 00000000..85da92f3 --- /dev/null +++ b/pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml @@ -0,0 +1,1450 @@ +######################## +## Rule: selinux-type ## +######################## +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +############################# +## Rule: selinux-user-role ## +############################# +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod07 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod08 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod09 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod10 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: unconfined_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod12 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod13 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod14 +spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod15 +spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod16 +spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod17 +spec: + initContainers: + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: unconfined_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment15 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment16 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment17 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: unconfined_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob15 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob16 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob17 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..4b6458fa --- /dev/null +++ b/pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-selinux-policy +spec: + steps: + - name: test-disallow-selinux + try: + - apply: + file: ../disallow-selinux.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-selinux.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_ro_rootfs/e2e/policy-assert.yaml b/pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml similarity index 62% rename from best-practices/require_ro_rootfs/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml index 5420c89e..12885f74 100644 --- a/best-practices/require_ro_rootfs/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-ro-rootfs + name: disallow-selinux spec: - validationFailureAction: audit + validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/e2e/good-resource.yaml b/pod-security/baseline/disallow-selinux/e2e/good-resource.yaml new file mode 100644 index 00000000..9b0f0908 --- /dev/null +++ b/pod-security/baseline/disallow-selinux/e2e/good-resource.yaml @@ -0,0 +1,1439 @@ +######################## +## Rule: selinux-type ## +######################## +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod12 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod13 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod14 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +############################# +## Rule: selinux-user-role ## +############################# +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx diff --git a/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml b/pod-security/baseline/disallow-selinux/e2e/policy-assert.yaml similarity index 87% rename from best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-selinux/e2e/policy-assert.yaml index 5eec2729..06f192f1 100644 --- a/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-selinux/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-cap-net-raw + name: disallow-selinux spec: validationFailureAction: audit status: diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml new file mode 100644 index 00000000..80f0495d --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml @@ -0,0 +1,52 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + annotations: + container.apparmor.security.beta.kubernetes.io/container01: unconfined +spec: + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + annotations: + container.apparmor.security.beta.kubernetes.io/container01: unconfined + spec: + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container01: unconfined + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..59982828 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-apparmor-profiles-policy +spec: + steps: + - name: test-restrict-apparmor-profiles + try: + - apply: + file: ../restrict-apparmor-profiles.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-apparmor-profiles.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..8245cc83 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-apparmor-profiles +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml new file mode 100644 index 00000000..d7e66670 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml @@ -0,0 +1,142 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + annotations: + container.apparmor.security.beta.kubernetes.io/container01: runtime/default +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 + annotations: + container.apparmor.security.beta.kubernetes.io/container01: localhost/foo +spec: + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + annotations: + container.apparmor.security.beta.kubernetes.io/container01: runtime/default + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + annotations: + container.apparmor.security.beta.kubernetes.io/container01: localhost/foo + spec: + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container01: runtime/default + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container01: localhost/foo + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx diff --git a/best-practices/disallow_default_namespace/e2e/policy-assert.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/policy-assert.yaml similarity index 83% rename from best-practices/disallow_default_namespace/e2e/policy-assert.yaml rename to pod-security/baseline/restrict-apparmor-profiles/e2e/policy-assert.yaml index 7243ffc6..72feb219 100644 --- a/best-practices/disallow_default_namespace/e2e/policy-assert.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-default-namespace + name: restrict-apparmor-profiles spec: validationFailureAction: audit status: diff --git a/pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml b/pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml new file mode 100644 index 00000000..31a744d0 --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml @@ -0,0 +1,429 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml b/pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..afef5c2a --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-policy +spec: + steps: + - name: test-restrict-seccomp + try: + - apply: + file: ../restrict-seccomp.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-seccomp.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml similarity index 62% rename from best-practices/require_labels/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml index 24ea8c63..c221e087 100644 --- a/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-labels + name: restrict-seccomp spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml b/pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml new file mode 100644 index 00000000..86eb81eb --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml @@ -0,0 +1,647 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx diff --git a/best-practices/require_labels/e2e/policy-assert.yaml b/pod-security/baseline/restrict-seccomp/e2e/policy-assert.yaml similarity index 87% rename from best-practices/require_labels/e2e/policy-assert.yaml rename to pod-security/baseline/restrict-seccomp/e2e/policy-assert.yaml index fe39bbfa..30e7a0cc 100644 --- a/best-practices/require_labels/e2e/policy-assert.yaml +++ b/pod-security/baseline/restrict-seccomp/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-labels + name: restrict-seccomp spec: validationFailureAction: audit status: diff --git a/pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml b/pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml new file mode 100644 index 00000000..6cd77d12 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml @@ -0,0 +1,117 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_next_id + value: "4" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + - name: kernel.shm_next_id + value: "4" +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_next_id + value: "4" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + - name: kernel.shm_next_id + value: "4" +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_next_id + value: "4" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + - name: kernel.shm_next_id + value: "4" diff --git a/pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml b/pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..4b54b392 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-sysctls-policy +spec: + steps: + - name: test-restrict-sysctls + try: + - apply: + file: ../restrict-sysctls.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-sysctls.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml b/pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..11726653 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-sysctls +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml b/pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml new file mode 100644 index 00000000..42e1e586 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml @@ -0,0 +1,375 @@ +###### Pods - Good +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "31000 60999" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.tcp_syncookies + value: "0" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "1 0" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" + - name: net.ipv4.ping_group_range + value: "1 0" +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "31000 60999" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.tcp_syncookies + value: "0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "1 0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" + - name: net.ipv4.ping_group_range + value: "1 0" +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "31000 60999" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.tcp_syncookies + value: "0" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "1 0" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" + - name: net.ipv4.ping_group_range + value: "1 0" diff --git a/best-practices/restrict_node_port/e2e/policy-assert.yaml b/pod-security/baseline/restrict-sysctls/e2e/policy-assert.yaml similarity index 87% rename from best-practices/restrict_node_port/e2e/policy-assert.yaml rename to pod-security/baseline/restrict-sysctls/e2e/policy-assert.yaml index e743d0ab..bcfc6b81 100644 --- a/best-practices/restrict_node_port/e2e/policy-assert.yaml +++ b/pod-security/baseline/restrict-sysctls/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: restrict-nodeport + name: restrict-sysctls spec: validationFailureAction: audit status: diff --git a/pod-security/restricted/disallow-capabilities-strict/deployment.yaml b/pod-security/restricted/disallow-capabilities-strict/deployment.yaml index 48bbbd5e..cc19abb0 100644 --- a/pod-security/restricted/disallow-capabilities-strict/deployment.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/deployment.yaml @@ -40,7 +40,7 @@ spec: cpu: "500m" hostIPC: true initContainers: - - name: nginx2 + - name: nginx3 image: nginx:latest securityContext: privileged: true diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml new file mode 100644 index 00000000..d5a66f4f --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml @@ -0,0 +1,1351 @@ +############################ +## Rule: require-drop-all ## +############################ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###################################### +## Rule: adding-capabilities-strict ## +###################################### +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..cb22dc47 --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-strict-policy +spec: + steps: + - name: test-disallow-capabilities-strict + try: + - apply: + file: ../disallow-capabilities-strict.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-capabilities-strict.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-capabilities-strict + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-capabilities-strict + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..c0d4298b --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml new file mode 100644 index 00000000..4c75887f --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml @@ -0,0 +1,434 @@ +############################ +## Rule: require-drop-all ## +############################ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml new file mode 100644 index 00000000..3961c5da --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..6ec61a32 --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-capabilities-strict +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml new file mode 100644 index 00000000..81585785 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml @@ -0,0 +1,333 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..703dcc9f --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privilege-escalation-policy +spec: + steps: + - name: test-disallow-privilege-escalation + try: + - apply: + file: ../disallow-privilege-escalation.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-privilege-escalation.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-disallow-privilege-escalation + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-privilege-escalation + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..cda2b356 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml new file mode 100644 index 00000000..d0c323a9 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml @@ -0,0 +1,335 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml new file mode 100644 index 00000000..7cb4bd0c --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..0a708da1 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-privilege-escalation +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml new file mode 100644 index 00000000..cc984731 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml @@ -0,0 +1,330 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..95bcefec --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-non-root-user-policy +spec: + steps: + - name: test-require-run-as-non-root-user + try: + - apply: + file: ../require-run-as-non-root-user.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..d49a7b37 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml new file mode 100644 index 00000000..0a27353e --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml @@ -0,0 +1,548 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 + securityContext: + runAsUser: 10 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 + securityContext: + runAsUser: 10 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 + securityContext: + runAsUser: 10 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml new file mode 100644 index 00000000..686fb660 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml new file mode 100644 index 00000000..6a270780 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml @@ -0,0 +1,867 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod12 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod13 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod14 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod15 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment15 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob15 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..45755c90 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml @@ -0,0 +1,46 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-nonroot-policy +spec: + steps: + - name: test-require-run-as-nonroot + try: + - apply: + file: ../require-run-as-nonroot.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-require-run-as-nonroot.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + metadata: + name: cpol-require-run-as-nonroot + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-require-run-as-nonroot + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-run-as-nonroot.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml similarity index 60% rename from best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml rename to pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml index 3b6cdb07..871322e8 100644 --- a/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-all-capabilities + name: require-run-as-nonroot spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml new file mode 100644 index 00000000..1714f597 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml @@ -0,0 +1,593 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml new file mode 100644 index 00000000..695d5227 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml similarity index 65% rename from best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml rename to pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml index c0c45ac9..46683013 100644 --- a/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-container-sock-mounts + name: remediate-require-run-as-nonroot spec: - validationFailureAction: enforce + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml new file mode 100644 index 00000000..31a744d0 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml @@ -0,0 +1,429 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..b6142f8c --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict-policy +spec: + steps: + - name: test-restrict-seccomp-strict + try: + - apply: + file: ../restrict-seccomp-strict.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..0983f7c8 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml new file mode 100644 index 00000000..242c8a47 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml @@ -0,0 +1,653 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + localhostProfile: operator/default/profile1.json + type: Localhost +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml new file mode 100644 index 00000000..2d6f1765 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml b/pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml new file mode 100644 index 00000000..9e689129 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml @@ -0,0 +1,1320 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + awsElasticBlockStore: + volumeID: vol-f37a03aa + fsType: ext4 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gitRepo: + repository: https://github.com/kyverno/kyverno +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + nfs: + path: /data + server: 10.105.68.50 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + iscsi: + lun: 0 + iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 + targetPortal: 10.105.68.50:3260 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + glusterfs: + endpoints: test + path: /data +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + rbd: + image: foo + monitors: + - foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flexVolume: + driver: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cinder: + volumeID: my-vol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cephfs: + monitors: + - foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod11 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flocker: + datasetName: fooset +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod12 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + fc: + wwids: + - fooid.corp +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod13 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureFile: + secretName: foosecret + shareName: fooshare +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod14 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + vsphereVolume: + volumePath: /foo/disk.vmdk +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod15 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + quobyte: + registry: 10.80.90.100:1111 + volume: foovol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod16 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureDisk: + kind: Managed + diskName: foodisk + diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod17 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + portworxVolume: + volumeID: myportvol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod18 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + scaleIO: + gateway: https://localhost:443/api + system: scaleio + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod19 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + storageos: + volumeName: foovol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod20 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + photonPersistentDisk: + pdID: fooid.corp +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + awsElasticBlockStore: + volumeID: vol-f37a03aa + fsType: ext4 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gitRepo: + repository: https://github.com/kyverno/kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + nfs: + path: /data + server: 10.105.68.50 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + iscsi: + lun: 0 + iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 + targetPortal: 10.105.68.50:3260 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + glusterfs: + endpoints: test + path: /data +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + rbd: + image: foo + monitors: + - foo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flexVolume: + driver: foo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cinder: + volumeID: my-vol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cephfs: + monitors: + - foo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flocker: + datasetName: fooset +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + fc: + wwids: + - fooid.corp +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureFile: + secretName: foosecret + shareName: fooshare +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + vsphereVolume: + volumePath: /foo/disk.vmdk +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment15 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + quobyte: + registry: 10.80.90.100:1111 + volume: foovol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment16 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureDisk: + kind: Managed + diskName: foodisk + diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment17 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + portworxVolume: + volumeID: myportvol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment18 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + scaleIO: + gateway: https://localhost:443/api + system: scaleio + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment19 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + storageos: + volumeName: foovol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment20 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + photonPersistentDisk: + pdID: fooid.corp +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + awsElasticBlockStore: + volumeID: vol-f37a03aa + fsType: ext4 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gitRepo: + repository: https://github.com/kyverno/kyverno +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + nfs: + path: /data + server: 10.105.68.50 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + iscsi: + lun: 0 + iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 + targetPortal: 10.105.68.50:3260 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + glusterfs: + endpoints: test + path: /data +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + rbd: + image: foo + monitors: + - foo +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flexVolume: + driver: foo +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cinder: + volumeID: my-vol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cephfs: + monitors: + - foo +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flocker: + datasetName: fooset +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + fc: + wwids: + - fooid.corp +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureFile: + secretName: foosecret + shareName: fooshare +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + vsphereVolume: + volumePath: /foo/disk.vmdk +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob15 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + quobyte: + registry: 10.80.90.100:1111 + volume: foovol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob16 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureDisk: + kind: Managed + diskName: foodisk + diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob17 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + portworxVolume: + volumeID: myportvol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob18 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + scaleIO: + gateway: https://localhost:443/api + system: scaleio + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob19 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + storageos: + volumeName: foovol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob20 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + photonPersistentDisk: + pdID: fooid.corp diff --git a/pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml b/pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..28b63cb8 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-volume-types-policy +spec: + steps: + - name: test-restrict-volume-types + try: + - apply: + file: ../restrict-volume-types.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml b/pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..ddf8c589 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml b/pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml new file mode 100644 index 00000000..40f2dfd6 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml @@ -0,0 +1,608 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + emptyDir: {} +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: mysettings + mountPath: /settings + volumes: + - name: mysettings + configMap: + name: settings +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: warehouse + mountPath: /warehouse + volumes: + - name: warehouse + csi: + driver: disk.csi.azure.com + readOnly: true + fsType: xfs +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 + labels: + foo: bar +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: labels + mountPath: /labels + volumes: + - name: labels + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: ephem + mountPath: /ephem + volumes: + - name: ephem + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: my-frontend-volume + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "scratch-storage-class" + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: foo + mountPath: /foo + volumes: + - name: foo + persistentVolumeClaim: + claimName: fooclaim + readOnly: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /mysecret + name: mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: mysettings + mountPath: /settings + volumes: + - name: mysettings + configMap: + name: settings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: warehouse + mountPath: /warehouse + volumes: + - name: warehouse + csi: + driver: disk.csi.azure.com + readOnly: true + fsType: xfs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + foo: bar + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: labels + mountPath: /labels + volumes: + - name: labels + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: ephem + mountPath: /ephem + volumes: + - name: ephem + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: my-frontend-volume + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "scratch-storage-class" + resources: + requests: + storage: 1Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: foo + mountPath: /foo + volumes: + - name: foo + persistentVolumeClaim: + claimName: fooclaim + readOnly: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /mysecret + name: mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + emptyDir: {} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: mysettings + mountPath: /settings + volumes: + - name: mysettings + configMap: + name: settings +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: warehouse + mountPath: /warehouse + volumes: + - name: warehouse + csi: + driver: disk.csi.azure.com + readOnly: true + fsType: xfs +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + foo: bar + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: labels + mountPath: /labels + volumes: + - name: labels + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: ephem + mountPath: /ephem + volumes: + - name: ephem + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: my-frontend-volume + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "scratch-storage-class" + resources: + requests: + storage: 1Gi +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: foo + mountPath: /foo + volumes: + - name: foo + persistentVolumeClaim: + claimName: fooclaim + readOnly: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /mysecret + name: mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret diff --git a/pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml b/pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml new file mode 100644 index 00000000..fc059940 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..e3b1d563 --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disable-automount-sa-token-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disable-automount-sa-token.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ns.yaml + - apply: + file: sa.yaml + - assert: + file: sa-patched.yaml + - error: + file: sa-not-patched.yaml diff --git a/best-practices/disallow_default_namespace/e2e/04-ns.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml similarity index 56% rename from best-practices/disallow_default_namespace/e2e/04-ns.yaml rename to rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml index 8f5b8c3b..d727f164 100644 --- a/best-practices/disallow_default_namespace/e2e/04-ns.yaml +++ b/rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: not-default-ns + name: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml new file mode 100644 index 00000000..a6c81de4 --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disable-automount-sa-token +status: + ready: true diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml new file mode 100644 index 00000000..b7308161 --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: foo-sa + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml new file mode 100644 index 00000000..b5a0417b --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: default + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml new file mode 100644 index 00000000..0acdf02a --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: foo-sa + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml new file mode 100644 index 00000000..d276eb08 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + automountServiceAccountToken: true + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/part-of: blah-reporter + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + automountServiceAccountToken: true + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/part-of: blah-reporter + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..e41d6d4e --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-automount-sa-token-policy +spec: + steps: + - name: test-restrict-automount-sa-token + try: + - apply: + file: ../restrict-automount-sa-token.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-automount-sa-token.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..4435a497 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-automount-sa-token +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml new file mode 100644 index 00000000..68c3b63b --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/part-of: policy-reporter + name: goodpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/part-of: policy-reporter + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure diff --git a/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/policy-assert.yaml similarity index 82% rename from best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml rename to rbac-best-practices/restrict-automount-sa-token/e2e/policy-assert.yaml index b0371309..be094f7a 100644 --- a/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-empty-ingress-host + name: restrict-automount-sa-token spec: validationFailureAction: audit status: diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml new file mode 100644 index 00000000..4e7d48ee --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: badcrb01 +subjects: +- kind: Group + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: badcrb02 +subjects: +- kind: Group + namespace: foo + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb01 +subjects: +- kind: Group + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb02 +subjects: +- kind: Group + name: bar + namespace: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb03 +subjects: +- kind: Group + name: bar + namespace: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..cfa34ffd --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-binding-system-groups-policy +spec: + steps: + - name: test-restrict-binding-system-groups + try: + - apply: + file: ../restrict-binding-system-groups.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..d5768e9d --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml new file mode 100644 index 00000000..7e958419 --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb01 +subjects: +- kind: Group + name: secret-reader + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb02 +subjects: +- kind: ServiceAccount + namespace: foo + name: foo-reader +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb03 +subjects: +- kind: ServiceAccount + namespace: foo + name: "system.foo" +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb01 +subjects: +- kind: User + name: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: foo-bar + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb02 +subjects: +- kind: ServiceAccount + name: foo + namespace: foo +roleRef: + kind: Role + name: foo-bar + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb03 +subjects: +- kind: Group + name: "system:foo" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: foo + apiGroup: rbac.authorization.k8s.io diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml new file mode 100644 index 00000000..06ba4810 --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml new file mode 100644 index 00000000..65063c9c --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["nodes/proxy", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: [""] + resources: ["pods", "nodes/proxy"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..3d6b76b2 --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-nodesproxy-policy +spec: + steps: + - name: test-restrict-clusterrole-nodesproxy + try: + - apply: + file: ../restrict-clusterrole-nodesproxy.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-clusterrole-nodesproxy.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..0b7e800e --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml new file mode 100644 index 00000000..de7c8c2b --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml new file mode 100644 index 00000000..879092df --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml new file mode 100644 index 00000000..dd998b91 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml @@ -0,0 +1,89 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["bind", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "escalate", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "bind"] +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["bind", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "escalate", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole03 +rules: +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "bind"] +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches"] + resources: ["jobs"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..ce3f5b78 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-escalation-verbs-roles-policy +spec: + steps: + - name: test-restrict-escalation-verbs-roles + try: + - apply: + file: ../restrict-escalation-verbs-roles.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-escalation-verbs-roles.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..467bc1a6 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml new file mode 100644 index 00000000..a658b2a1 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodrole01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodrole02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml new file mode 100644 index 00000000..cf0b1e05 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml new file mode 100644 index 00000000..be346c23 --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["namespaces", "*", "pods"] + verbs: ["get", "create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["namespaces", "secrets", "pods"] + verbs: ["create", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["update", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["namespaces", "*", "pods"] + verbs: ["get", "create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr02 +rules: +- apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["namespaces", "secrets", "pods"] + verbs: ["create", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["update", "list", "create"] diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..fc9903ab --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-wildcard-resources-policy +spec: + steps: + - name: test-restrict-wildcard-resources + try: + - apply: + file: ../restrict-wildcard-resources.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-wildcard-resources.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..6054e24e --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml new file mode 100644 index 00000000..f79c7f36 --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml @@ -0,0 +1,95 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr03 +rules: +- apiGroups: ["batch"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr04 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr05 +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr02 +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr03 +rules: +- apiGroups: ["batch"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr04 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr05 +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml new file mode 100644 index 00000000..55b734ce --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready From 7b57c2906642d2b1ebe8286a53e0e6ab127e66e3 Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Mon, 18 Dec 2023 16:19:41 +0530 Subject: [PATCH 2/7] Added the chainsaw tests in github actions Signed-off-by: nsathyaseelan --- .github/workflows/chainsaw-e2e.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index b9628657..f0088d05 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -3,14 +3,12 @@ on: push: branches: - 'main' - - 'chainsaw-test' # this action needs to read GH secret # hence prevents executing on PRs from forks # disabling running on PRs until we find a workaround for this pull_request: branches: - 'main' - - 'chainsaw-test' concurrency: group: ${{ github.workflow }}-${{ github.ref }} From de372a51b4322d49214216a20955114f86de9e9b Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Wed, 14 Feb 2024 20:22:17 +0530 Subject: [PATCH 3/7] Removed the tests for disallow proc mount policy Signed-off-by: nsathyaseelan --- .../disallow-proc-mount/e2e/bad-resource.yaml | 442 +++++++++--------- 1 file changed, 221 insertions(+), 221 deletions(-) diff --git a/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml b/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml index d86ddc28..5552bda7 100644 --- a/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml +++ b/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml @@ -71,224 +71,224 @@ spec: image: nginx securityContext: procMount: "Unmasked" ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: nginx - securityContext: - procMount: "Unmasked" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: nginx - - name: container02 - image: nginx - securityContext: - procMount: "Unmasked" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: nginx - securityContext: - procMount: "Unmasked" - containers: - - name: container01 - image: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: nginx - - name: initcontainer02 - image: nginx - securityContext: - procMount: "Unmasked" - containers: - - name: container01 - image: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: nginx - - name: initcontainer02 - image: nginx - securityContext: - procMount: "Unmasked" - containers: - - name: container01 - image: nginx - securityContext: - procMount: "Unmasked" ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: nginx - securityContext: - procMount: "Unmasked" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: nginx - - name: container02 - image: nginx - securityContext: - procMount: "Unmasked" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: nginx - securityContext: - procMount: "Unmasked" - containers: - - name: container01 - image: nginx ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: nginx - - name: initcontainer02 - image: nginx - securityContext: - procMount: "Unmasked" - containers: - - name: container01 - image: nginx ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: nginx - - name: initcontainer02 - image: nginx - securityContext: - procMount: "Unmasked" - containers: - - name: container01 - image: nginx - securityContext: - procMount: "Unmasked" +# --- +# ###### Deployments - Bad +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment01 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment02 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# containers: +# - name: container01 +# image: nginx +# - name: container02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment03 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# initContainers: +# - name: initcontainer01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment04 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment05 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# ###### CronJobs - Bad +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob01 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob02 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# containers: +# - name: container01 +# image: nginx +# - name: container02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob03 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# initContainers: +# - name: initcontainer01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob04 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob05 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" From 41e5c5b651b8d3ddc0dfc9d692c530e0374a0a91 Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Wed, 14 Feb 2024 21:14:07 +0530 Subject: [PATCH 4/7] Removed the bad resource tests for disallow proc mount policy Signed-off-by: nsathyaseelan --- .../disallow-proc-mount/e2e/chainsaw-test.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml index 7f8c75a5..4510f135 100644 --- a/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml @@ -39,8 +39,8 @@ spec: file: enforce-policy-assert.yaml - apply: file: good-resource.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-resource.yaml + # - apply: + # expect: + # - check: + # ($error != null): true + # file: bad-resource.yaml From 1c532af7509580f9914e93155c19fd92e882eeeb Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Fri, 16 Feb 2024 09:35:15 +0530 Subject: [PATCH 5/7] Included the latest n4k version in the chainsaw test Signed-off-by: nsathyaseelan --- .github/workflows/chainsaw-e2e.yaml | 30 ++++++++++--------- Makefile | 8 +++-- .../e2e/chainsaw-test.yaml | 2 -- .../disallow-host-path/e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- .../e2e/chainsaw-test.yaml | 2 -- 11 files changed, 22 insertions(+), 34 deletions(-) diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index f0088d05..1735cc1a 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -3,9 +3,7 @@ on: push: branches: - 'main' - # this action needs to read GH secret - # hence prevents executing on PRs from forks - # disabling running on PRs until we find a workaround for this + pull_request: branches: - 'main' @@ -13,18 +11,20 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - + jobs: run-e2etest: runs-on: ubuntu-latest - permissions: - packages: read + strategy: - fail-fast: false + fail-fast: false matrix: - k8s-version: [v1.28.0, v1.27.3, v1.26.3, v1.25.8, v1.24.12, v1.23.17] - n4k-chart-version: [1.6.11, 3.0.9] - + k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16] + # For n4k-versions 1.10, and 1.11 + # "devel" refers to the RC version. + # If there are no new RC versions available, it installs the latest n4k version. + n4k-chart-version: [3.0.18, 3.1.1, devel] + steps: - name: Checkout uses: actions/checkout@v3 @@ -33,14 +33,16 @@ jobs: run: K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster - name: Install kyverno - run: | - N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno + run: N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno - name: Check Kyverno status run: make wait-for-kyverno - - name: Install chainsaw - uses: kyverno/action-install-chainsaw@6ab03ccb2c8309b5f494fcbc78ec3a2d80cfabee # v0.1.0 + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@v0.1.4 + + - name: Verify Chainsaw Installation + run: chainsaw version - name: Test with Chainsaw run: make test-chainsaw diff --git a/Makefile b/Makefile index 881478b0..cc90d06a 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ USE_CONFIG ?= standard TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind -KIND_VERSION := v0.20.0 +KIND_VERSION := v0.22.0 HELM := $(TOOLS_DIR)/helm HELM_VERSION := v3.10.1 TOOLS := $(KIND) $(HELM) @@ -55,7 +55,11 @@ kind-deploy-kyverno: $(HELM) @echo Install kyverno chart... >&2 @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts @$(HELM) repo update - @$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) + @if [ "$(N4K_VERSION)" = "devel" ]; then \ + $(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --devel; \ + else \ + $(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION); \ + fi ## Check Kyverno status .PHONY: wait-for-kyverno diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml index a2f9a2bd..c3e0e055 100644 --- a/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-host-namespaces summary: error: 0 fail: 0 diff --git a/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml index e5fb1ccc..39a36e89 100644 --- a/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-host-path summary: error: 0 fail: 0 diff --git a/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml index 893a7b16..8ac23644 100644 --- a/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-host-ports summary: error: 0 fail: 0 diff --git a/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml index 30d6a068..3b71ff1a 100644 --- a/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-host-process summary: error: 0 fail: 0 diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml index 8d09d1a5..af3d292e 100644 --- a/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-privileged-containers summary: error: 0 fail: 0 diff --git a/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml index 4510f135..ab1aa1a7 100644 --- a/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-proc-mount summary: error: 0 fail: 0 diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml index cb22dc47..73d7ebe6 100644 --- a/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-capabilities-strict summary: error: 0 fail: 0 diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml index 703dcc9f..341ecc65 100644 --- a/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-disallow-privilege-escalation summary: error: 0 fail: 0 diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml index 45755c90..bfacc595 100644 --- a/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml +++ b/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml @@ -22,8 +22,6 @@ spec: resource: apiVersion: wgpolicyk8s.io/v1alpha2 kind: PolicyReport - metadata: - name: cpol-require-run-as-nonroot summary: error: 0 fail: 0 From 2d7fbbd6096b5f23c63f52ad844b96f97beea8b9 Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Wed, 21 Feb 2024 16:16:14 +0530 Subject: [PATCH 6/7] Updated the chart versions in the chainsaw test Signed-off-by: nsathyaseelan --- .github/workflows/chainsaw-e2e.yaml | 8 +++----- Makefile | 6 +----- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index 1735cc1a..3c7b189c 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -19,11 +19,9 @@ jobs: strategy: fail-fast: false matrix: - k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16] - # For n4k-versions 1.10, and 1.11 - # "devel" refers to the RC version. - # If there are no new RC versions available, it installs the latest n4k version. - n4k-chart-version: [3.0.18, 3.1.1, devel] + k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16, v1.24.12, v1.23.1] + # For n4k-versions 1.9 + n4k-chart-version: [1.6.11] steps: - name: Checkout diff --git a/Makefile b/Makefile index cc90d06a..2dea7295 100644 --- a/Makefile +++ b/Makefile @@ -55,11 +55,7 @@ kind-deploy-kyverno: $(HELM) @echo Install kyverno chart... >&2 @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts @$(HELM) repo update - @if [ "$(N4K_VERSION)" = "devel" ]; then \ - $(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --devel; \ - else \ - $(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION); \ - fi + @$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) ## Check Kyverno status .PHONY: wait-for-kyverno From 3be0934f32217418b3cd20fe2619cfd5d662be74 Mon Sep 17 00:00:00 2001 From: nsathyaseelan Date: Wed, 21 Feb 2024 16:51:22 +0530 Subject: [PATCH 7/7] Updated the supported k8s version Signed-off-by: nsathyaseelan --- .github/workflows/chainsaw-e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml index 3c7b189c..2c9d3646 100644 --- a/.github/workflows/chainsaw-e2e.yaml +++ b/.github/workflows/chainsaw-e2e.yaml @@ -19,7 +19,7 @@ jobs: strategy: fail-fast: false matrix: - k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16, v1.24.12, v1.23.1] + k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16, v1.24.12, v1.23.17] # For n4k-versions 1.9 n4k-chart-version: [1.6.11]