feat: add miscellaneous policies in CEL expressions - Part 1 (#981)

* add argo-cel folder to CI tests

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy application-field-validation

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for application-field-validation

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert application-field-validation

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy application-prevent-default-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for application-prevent-default-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert application-prevent-default-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy applicationset-name-matches-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert applicationset-name-matches-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for applicationset-name-matches-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy appproject-clusterresourceblacklist

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert appproject-clusterresourceblacklist

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy application-prevent-updates-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert application-prevent-updates-project

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* enforce-min-tls-version

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert enforce-min-tls-version

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add CI test for consul directory

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy verify-flux-sources

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename chainsaw resources for clarity

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for verify-flux-sources

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert verify-flux-sources

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy verify-git-repositories

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename chainsaw resources and add kyverno tests for verify-git-repositories

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert verify-git-repositories

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add CI test for flux-cel

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename files for clarity

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename more files for clarity

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy require-encryption-aws-loadbalancers

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename files for clarity

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for require-encryption-aws-loadbalancers

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert require-encryption-aws-loadbalancer

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add CI tests for aws-cel

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* remove unused file

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* update policies to specify CREATE and UPDATE operations

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

---------

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

.github/workflows/test.yml

@@ -30,15 +30,19 @@ jobs:
             version: v1.29.2
         tests:
           - ^argo$
+          - ^argo-cel$
           - ^aws$
+          - ^aws-cel$
           - ^best-practices$
           - ^best-practices-cel$
           - ^castai$
           - ^cert-manager$
           - ^cleanup$
           - ^consul$
+          - ^consul-cel$
           - ^external-secret-operator$
           - ^flux$
+          - ^flux-cel$
           - ^istio$
           - ^karpenter$
           - ^kasten$

argo-cel/application-field-validation/.chainsaw-test/README.md

@@ -0,0 +1,15 @@
+## Description
+
+This is an automated test of the sample policy in this directory.
+
+## Expected Behavior
+
+A policy report should be generated in which the following results are observed:
+
+* `badapp01` fails for the rule `source-path-chart` and passes for the rule `destination-server-name`
+* `badapp02` fails for the rule `destination-server-name` and passes for the rule `source-path-chart`
+* `goodapp01` passes for both rules
+
+## Reference Issue(s)
+
+N/A

argo-cel/application-field-validation/.chainsaw-test/bad-application.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: badapp01
+  namespace: default
+spec:
+  project: foo
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+    chart: foo
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: badapp02
+  namespace: default
+spec:
+  project: bar
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+  destination:
+    server: https://kubernetes.default.svc
+    name: foobar
+    namespace: guestbook

argo-cel/application-field-validation/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,35 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: application-field-validation
+spec:
+  steps:
+  - name: step-01
+    try:
+    - assert:
+        file: crd-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../application-field-validation.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: application-field-validation
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: good-application.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-application.yaml

argo-cel/application-field-validation/.chainsaw-test/crd-assert.yaml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: applications.argoproj.io
+spec: {}
+status:
+  acceptedNames:
+    kind: Application
+    listKind: ApplicationList
+    plural: applications
+    singular: application
+  storedVersions:
+  - v1alpha1

argo-cel/application-field-validation/.chainsaw-test/good-application.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: goodapp01
+  namespace: default
+spec:
+  project: biz
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook

argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: application-field-validation
+status:
+  ready: true

argo-cel/application-field-validation/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,35 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: application-field-validation
+policies:
+- ../application-field-validation.yaml
+resources:
+- ../.chainsaw-test/bad-application.yaml
+- ../.chainsaw-test/good-application.yaml
+results:
+- policy: application-field-validation
+  rule: source-path-chart
+  kind: Application
+  resources:
+  - badapp01
+  result: fail
+- policy: application-field-validation
+  rule: destination-server-name
+  kind: Application
+  resources:
+  - badapp02
+  result: fail
+- policy: application-field-validation
+  rule: source-path-chart
+  kind: Application
+  resources:
+  - goodapp01
+  result: pass
+- policy: application-field-validation
+  rule: destination-server-name
+  kind: Application
+  resources:
+  - goodapp01
+  result: pass
+

argo-cel/application-field-validation/application-field-validation.yaml

@@ -0,0 +1,61 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: application-field-validation
+  annotations:
+    policies.kyverno.io/title: Application Field Validation in CEL expressions
+    policies.kyverno.io/category: Argo in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Application
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/description: >-
+      This policy performs some best practices validation on Application fields.
+      Path or chart must be specified but never both. And destination.name or
+      destination.server must be specified but never both.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: source-path-chart
+      match:
+        any:
+        - resources:
+            kinds:
+            - Application
+            operations:
+            - CREATE
+            - UPDATE
+      validate:
+        cel:
+          expressions:
+            - expression: >-
+                has(object.spec.source) &&
+                (
+                  (has(object.spec.source.path) && !has(object.spec.source.chart)) ||
+                  (!has(object.spec.source.path) && has(object.spec.source.chart))
+                )
+              message: >-
+                `spec.source.path` OR `spec.source.chart` should be specified but never both.
+    - name: destination-server-name
+      match:
+        any:
+        - resources:
+            kinds:
+            - Application
+            operations:
+            - CREATE
+            - UPDATE
+      validate:
+        cel:
+          expressions:
+            - expression: >-
+                has(object.spec.destination) &&
+                (
+                  (has(object.spec.destination.server) && !has(object.spec.destination.name)) ||
+                  (!has(object.spec.destination.server) && has(object.spec.destination.name))
+                )
+              message: >-
+                `spec.destination.server` OR `spec.destination.name` should be specified but never both.
+

argo-cel/application-field-validation/artifacthub-pkg.yml

@@ -0,0 +1,23 @@
+name: application-field-validation-cel
+version: 1.0.0
+displayName: Application Field Validation in CEL expressions
+description: >-
+  This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/argo-cel/application-field-validation/application-field-validation.yaml
+  ```
+keywords:
+  - kyverno
+  - Argo
+  - CEL Expressions
+readme: |
+  This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Argo in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Application"
+digest: e3256994e09731ea081230c85e0d6384a187d53377562b1c82ea9385cec0c4a4
+createdAt: "2024-04-30T15:34:03Z"

argo-cel/application-prevent-default-project/.chainsaw-test/bad-application.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: badapp
+  namespace: default
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook

argo-cel/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,35 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: application-prevent-default-project
+spec:
+  steps:
+  - name: step-01
+    try:
+    - assert:
+        file: crd-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../application-prevent-default-project.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: application-prevent-default-project
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: good-application.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-application.yaml

argo-cel/application-prevent-default-project/.chainsaw-test/crd-assert.yaml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: applications.argoproj.io
+spec: {}
+status:
+  acceptedNames:
+    kind: Application
+    listKind: ApplicationList
+    plural: applications
+    singular: application
+  storedVersions:
+  - v1alpha1

argo-cel/application-prevent-default-project/.chainsaw-test/good-application.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: goodapp
+  namespace: default
+spec:
+  project: biz
+  source:
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+    path: guestbook
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook

argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: application-prevent-default-project
+status:
+  ready: true

argo-cel/application-prevent-default-project/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: application-prevent-default-project
+policies:
+- ../application-prevent-default-project.yaml
+resources:
+- ../.chainsaw-test/bad-application.yaml
+- ../.chainsaw-test/good-application.yaml
+results:
+- policy: application-prevent-default-project
+  rule: default-project
+  kind: Application
+  resources:
+  - badapp
+  result: fail
+- policy: application-prevent-default-project
+  rule: default-project
+  kind: Application
+  resources:
+  - goodapp
+  result: pass
+