Skip to content

Commit

Permalink
feat(ps): add mutate pod security policies
Browse files Browse the repository at this point in the history 
Signed-off-by: Khaled Emara <mail@KhaledEmara.dev>
  • Loading branch information
@KhaledEmaraDev
KhaledEmaraDev committed Aug 12, 2024
1 parent 412727e commit 2716aae
Show file tree
Hide file tree
Showing 28 changed files with 1,272 additions and 0 deletions.
6 changes: 6 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-privilege-escalation
status:
ready: true
28 changes: 28 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.chainsaw-test/chainsaw-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: set-privilege-escalation
spec:
steps:
- name: step-01
try:
- apply:
file: ../set-privilege-escalation.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-privilege-escalation
spec:
validationFailureAction: Enforce
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: pod-bad.yaml
- assert:
file: pod-bad-assert.yaml
80 changes: 80 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad-assert.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod01
spec:
containers:
- name: container01
image: busybox:1.35
---
apiVersion: v1
kind: Pod
metadata:
name: badpod02
spec:
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod03
spec:
containers:
- name: container01
image: busybox:1.35
- name: container02
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod04
spec:
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
- name: container02
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod05
spec:
initContainers:
- name: initcontainer01
image: busybox:1.35
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod06
spec:
initContainers:
- name: initcontainer01
image: busybox:1.35
- name: initcontainer02
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
80 changes: 80 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.chainsaw-test/pod-bad.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod01
spec:
containers:
- name: container01
image: busybox:1.35
---
apiVersion: v1
kind: Pod
metadata:
name: badpod02
spec:
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: true
---
apiVersion: v1
kind: Pod
metadata:
name: badpod03
spec:
containers:
- name: container01
image: busybox:1.35
- name: container02
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod04
spec:
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: true
- name: container02
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod05
spec:
initContainers:
- name: initcontainer01
image: busybox:1.35
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
apiVersion: v1
kind: Pod
metadata:
name: badpod06
spec:
initContainers:
- name: initcontainer01
image: busybox:1.35
- name: initcontainer02
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: true
containers:
- name: container01
image: busybox:1.35
securityContext:
allowPrivilegeEscalation: false
---
45 changes: 45 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/kyverno-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: set-privilege-escalation
policies:
- ../set-privilege-escalation.yaml
resources:
- resource.yaml
results:
- policy: set-privilege-escalation
rule: set-containers-privilege-escalation-to-false
kind: Pod
resource: badpod01
patchedResource: patched-resource-01.yaml
result: skip
- policy: set-privilege-escalation
rule: set-containers-privilege-escalation-to-false
kind: Pod
resource: badpod02
patchedResource: patched-resource-02.yaml
result: pass
- policy: set-privilege-escalation
rule: set-containers-privilege-escalation-to-false
kind: Pod
resource: badpod03
patchedResource: patched-resource-03.yaml
result: skip
- policy: set-privilege-escalation
rule: set-containers-privilege-escalation-to-false
kind: Pod
resource: badpod04
patchedResource: patched-resource-04.yaml
result: pass
- policy: set-privilege-escalation
rule: set-containers-privilege-escalation-to-false
kind: Pod
resource: badpod05
patchedResource: patched-resource-05.yaml
result: skip
- policy: set-privilege-escalation
rule: set-initContainers-privilege-escalation-to-false
kind: Pod
resource: badpod06
patchedResource: patched-resource-06.yaml
result: pass
8 changes: 8 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-01.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod01
spec:
containers:
- name: container01
image: dummyimagename
10 changes: 10 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-02.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod02
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
12 changes: 12 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-03.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod03
spec:
containers:
- name: container01
image: dummyimagename
- name: container02
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
14 changes: 14 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-04.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod04
spec:
containers:
- name: container01
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
- name: container02
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
13 changes: 13 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-05.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod05
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
containers:
- name: container01
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
17 changes: 17 additions & 0 deletions pod-security/mutate/set-privilege-escalation/.kyverno-test/patched-resource-06.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod06
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
- name: initcontainer02
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
containers:
- name: container01
image: dummyimagename
securityContext:
allowPrivilegeEscalation: false
Loading

0 comments on commit 2716aae

Please sign in to comment.