Merge branch 'main' into miscellaneous-policies-cel-part-4

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

.github/kind.yml

@@ -1,5 +1,7 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  ProcMountType: true
 kubeadmConfigPatches:
   - |-
     kind: ClusterConfiguration

.github/workflows/check-actions.yaml

@@ -16,9 +16,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@76d1d8e0b075d7190b5d59b86da91c7bdbcc99b2 # v3.0.7
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
         with:
           allowlist: |
             kyverno/chainsaw

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
       options: --user root
     steps:
       - name: Checkout code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: policies
       - name: Run ah lint
@@ -33,21 +33,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: policies
       - name: Validate all policies
         run: ./.hack/verify-files-structure.sh
         working-directory: policies
       - name: Clone Kyverno
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: kyverno/kyverno
           path: kyverno
           # The target branch of a pull request or the branch/tag of a push
           ref: ${{ github.base_ref || github.ref_name }}
       - name: Set up Go 
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ~1.21.1
       - name: Test Policy
@@ -58,18 +58,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: policies
       - name: Checkout Kyverno
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: kyverno/kyverno
           path: kyverno
           # The target branch of a pull request or the branch/tag of a push
           ref: ${{ github.base_ref || github.ref_name }}
       - name: Set up Go 
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ~1.21.1
       - name: Lint policies

.github/workflows/test.yml

@@ -44,14 +44,20 @@ jobs:
           - ^flux$
           - ^flux-cel$
           - ^istio$
+          - ^istio-cel$
           - ^karpenter$
           - ^kasten$
+          - ^kasten-cel$
           - ^kubecost$
+          - ^kubecost-cel$
           - ^kubeops$
           - ^kubevirt$
           - ^linkerd$
+          - ^linkerd-cel$
           - ^nginx-ingress$
+          - ^nginx-ingress-cel$
           - ^openshift$
+          - ^openshift-cel$
           - ^other$/^a
           - ^other-cel$/^a
           - ^other$/^[b-d]
@@ -65,24 +71,26 @@ jobs:
           - ^other$/^res
           - ^other-cel$/^res
           - ^other$/^[s-z]
-          - ^other-cel$/^res
+          - ^other-cel$/^[s-z]
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$
+          - ^psa-cel$
           - ^psp-migration$
           - ^psp-migration-cel$
           - ^tekton$
           - ^tekton-cel$
           - ^traefik$
+          - ^traefik-cel$
           - ^velero$
           - ^velero-cel$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ~1.21.1
       - name: Install Tools
@@ -119,7 +127,7 @@ jobs:
           set -e
           kubectl apply -f ./.chainsaw/crds
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -0,0 +1,4 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterCleanupPolicy
+metadata:
+  name: clean-bare-pods

cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: cleanup-bare-pods
+spec:
+  steps:
+    - name: apply cluster role
+      try:
+        - apply:
+            file: cluster-role.yaml
+    - name: create a bare pod
+      try:
+        - apply:
+            file: pod.yaml
+        - assert:
+            file: pod.yaml
+    - name: apply cleanup policy
+      try:
+        - apply:
+            file: ../cleanup-bare-pods.yaml
+        - patch:
+            resource:
+              apiVersion: kyverno.io/v2beta1
+              kind: ClusterCleanupPolicy
+              metadata:
+                name: clean-bare-pods
+              spec:
+                schedule: "*/1 * * * *"
+        - assert:
+            file: chainsaw-step-02-assert-1.yaml
+    - name: wait for scheduled deletion
+      try:
+        - sleep:
+            duration: 1m30s
+    - name: check for bare pod
+      try:
+        - error:
+            file: pod.yaml

kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml → cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml

@@ -1,17 +1,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  namespace: kyverno
   labels:
-    app.kubernetes.io/component: background-controller
+    app.kubernetes.io/component: cleanup-controller
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/part-of: kyverno
-  name: kyverno:background-controller:k10-goldbackuppolicy
+  name: kyverno:cleanup-controller:barepods
 rules:
 - apiGroups:
-  - config.kio.kasten.io
+  - ""
   resources:
-  - policies
+  - pods
   verbs:
-  - create
-  - update
+  - get
+  - watch
+  - list
   - delete
+

cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bare-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx:1.14.1

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,41 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-sidecar-injection-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../enforce-sidecar-injection-namespace.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: enforce-sidecar-injection-namespace
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-disabled.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-nolabel.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad-somelabel.yaml

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio-injection: disabled
+  name: bad-istio-sinj01

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bad-istio-sinj03

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: enabled
+  name: bad-istio-sinj02

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio-injection: enabled
+  name: good-istio-sinj01
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: disabled
+    istio-injection: enabled
+    bar: enabled
+  name: good-istio-sinj02

istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-sidecar-injection-namespace
+status:
+  ready: true

istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: enforce-sidecar-injection-namespace
+policies:
+- ../enforce-sidecar-injection-namespace.yaml
+resources:
+- ../.chainsaw-test/ns-bad-disabled.yaml
+- ../.chainsaw-test/ns-bad-nolabel.yaml
+- ../.chainsaw-test/ns-bad-somelabel.yaml
+- ../.chainsaw-test/ns-good.yaml
+results:
+- policy: enforce-sidecar-injection-namespace
+  rule: check-istio-injection-enabled
+  kind: Namespace
+  resources:
+  - bad-istio-sinj01
+  - bad-istio-sinj02
+  - bad-istio-sinj03
+  result: fail
+- policy: enforce-sidecar-injection-namespace
+  rule: check-istio-injection-enabled
+  kind: Namespace
+  resources:
+  - good-istio-sinj01
+  - good-istio-sinj02
+  result: pass
+

istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml

@@ -0,0 +1,24 @@
+name: enforce-sidecar-injection-namespace-cel
+version: 1.0.0
+displayName: Enforce Istio Sidecar Injection in CEL expressions
+description: >-
+  In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml
+  ```
+keywords:
+  - kyverno
+  - Istio
+  - CEL Expressions
+readme: |
+  In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Istio in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Namespace"
+digest: 123feb2a8d1b2743e33b1f91ddf7291c47eedcf2c24ae537a1d3afe6c503338d
+createdAt: "2024-05-12T04:38:32Z"
+

istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-sidecar-injection-namespace
+  annotations:
+    policies.kyverno.io/title: Enforce Istio Sidecar Injection in CEL expressions
+    policies.kyverno.io/category: Istio in CEL 
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In order for Istio to inject sidecars to workloads deployed into Namespaces, the label
+      `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces
+      set `istio-inject` to `enabled`.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: check-istio-injection-enabled
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          operations:
+          - CREATE
+    validate:
+      cel:
+        expressions:
+          - expression: "has(object.metadata.labels) && 'istio-injection' in object.metadata.labels && object.metadata.labels['istio-injection'] == 'enabled'"
+            message: "All new Namespaces must have Istio sidecar injection enabled."
+