diff --git a/.github/actions/install-crds/action.yaml b/.github/actions/install-crds/action.yaml new file mode 100644 index 000000000..8618dc955 --- /dev/null +++ b/.github/actions/install-crds/action.yaml @@ -0,0 +1,10 @@ +name: "Install CRDs" +description: "Installs all CRDs for chainsaw tests" +runs: + using: "composite" + steps: + - name: Install CRDs + shell: bash + run: | + set -e + kubectl apply -f ./.chainsaw/crds diff --git a/.github/actions/run-tests/action.yaml b/.github/actions/run-tests/action.yaml index 9da5ca54e..a24e3ea54 100644 --- a/.github/actions/run-tests/action.yaml +++ b/.github/actions/run-tests/action.yaml @@ -1,9 +1,15 @@ name: "Runs E2E Tests" description: "Runs E2E tests using chainsaw" inputs: + k8s-version: + description: "Kubernetes version" + required: false tests: description: "Test regex" required: true + test-file: + description: "Name of the chainsaw test file" + default: chainsaw-test runs: using: "composite" steps: @@ -13,4 +19,14 @@ runs: shell: bash run: | set -e - chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false + + K8S_VERSION="${{ inputs.k8s-version }}" + TEST_FILE="${{ inputs.test-file }}" + TESTS="${{ inputs.tests }}" + + if [[ "$TEST_FILE" == "chainsaw-test-vap" && -n "$K8S_VERSION" ]] && + [[ "$K8S_VERSION" == "v1.26."* || "$K8S_VERSION" == "v1.27."* ]]; then + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false --selector='!skipForVapAlpha' + else + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false + fi diff --git a/.github/actions/setup-env/action.yaml b/.github/actions/setup-env/action.yaml index 8bdbd708a..ef9300f0d 100644 --- a/.github/actions/setup-env/action.yaml +++ b/.github/actions/setup-env/action.yaml @@ -40,12 +40,6 @@ runs: set -e kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml - name: Wait for kyverno ready - shell: bash - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s + uses: ./.github/actions/wait-for-kyverno-ready - name: Install CRDs - shell: bash - run: | - set -e - kubectl apply -f ./.chainsaw/crds + uses: ./.github/actions/install-crds diff --git a/.github/actions/wait-for-kyverno-ready/action.yaml b/.github/actions/wait-for-kyverno-ready/action.yaml new file mode 100644 index 000000000..65b3e1d73 --- /dev/null +++ b/.github/actions/wait-for-kyverno-ready/action.yaml @@ -0,0 +1,10 @@ +name: "Wait for Kyverno To Become Ready" +description: "Waits for Kyverno to become ready before running chainsaw tests" +runs: + using: "composite" + steps: + - name: Wait for kyverno ready + shell: bash + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s diff --git a/.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml b/.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml new file mode 100644 index 000000000..d05d01809 --- /dev/null +++ b/.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:generate-validatingadmissionpolicy +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingadmissionpolicies + - validatingadmissionpolicybindings + verbs: + - create + - update + - delete + - list diff --git a/.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh b/.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh new file mode 100755 index 000000000..5385560f9 --- /dev/null +++ b/.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +echo -e "\nDownloading the latest Kyverno installation YAML file..." +wget -O install-latest-testing.yaml https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml + +echo -e "\nEnabling Validating Admission Policy generation..." +sed -i 's/--generateValidatingAdmissionPolicy=false/--generateValidatingAdmissionPolicy=true/g' ./install-latest-testing.yaml + +echo -e "\nInstalling Kyverno in the cluster..." +kubectl create -f ./install-latest-testing.yaml + +echo -e "\nGranting permissions to Kyverno for VAP generation..." +kubectl create -f ./.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml diff --git a/.github/scripts/config/kind/vap-v1alpha1.yaml b/.github/scripts/config/kind/vap-v1alpha1.yaml new file mode 100644 index 000000000..a32c5fab0 --- /dev/null +++ b/.github/scripts/config/kind/vap-v1alpha1.yaml @@ -0,0 +1,11 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1alpha1: true +nodes: + - role: control-plane + - role: worker + - role: worker + - role: worker \ No newline at end of file diff --git a/.github/scripts/config/kind/vap-v1beta1.yaml b/.github/scripts/config/kind/vap-v1beta1.yaml new file mode 100644 index 000000000..42610882e --- /dev/null +++ b/.github/scripts/config/kind/vap-v1beta1.yaml @@ -0,0 +1,12 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1beta1: true + admissionregistration.k8s.io/v1alpha1: true +nodes: + - role: control-plane + - role: worker + - role: worker + - role: worker \ No newline at end of file diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml index ec7564140..fa9d66990 100644 --- a/.github/workflows/cel-test.yml +++ b/.github/workflows/cel-test.yml @@ -63,3 +63,73 @@ jobs: uses: ./.github/actions/run-tests with: tests: ${{ matrix.tests }} + + validatingadmissionpolicies-v1alpha1: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.27 + version: v1.27.13 + tests: + - ^pod-security-cel$ + name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./.github/scripts/config/kind/vap-v1alpha1.yaml + - name: Install latest kyverno with VAP generation enabled + run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh + - name: Wait for kyverno ready + uses: ./.github/actions/wait-for-kyverno-ready + - name: Install CRDs + uses: ./.github/actions/install-crds + - name: Run VAP tests + uses: ./.github/actions/run-tests + with: + tests: ${{ matrix.tests }} + test-file: chainsaw-test-vap + k8s-version: ${{ matrix.k8s-version.version }} + + validatingadmissionpolicies-tests-above-1-28: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - ^pod-security-cel$ + name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./.github/scripts/config/kind/vap-v1beta1.yaml + - name: Install latest kyverno with VAP generation enabled + run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh + - name: Wait for kyverno ready + uses: ./.github/actions/wait-for-kyverno-ready + - name: Install CRDs + uses: ./.github/actions/install-crds + - name: Run VAP tests + uses: ./.github/actions/run-tests + with: + tests: ${{ matrix.tests }} + test-file: chainsaw-test-vap + k8s-version: ${{ matrix.k8s-version.version }} \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100644 index 000000000..bc9b948e2 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-capabilities.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-capabilities + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..0d5f86026 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-capabilities + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..95ef7298f --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-capabilities-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities +spec: + policyName: disallow-capabilities + validationActions: [Deny] \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..3f03b402f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-namespaces +spec: + # disable templating because it can cause issues with CEL expressions + template: false + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-namespaces.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-namespaces + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..5f1ef76fb --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-namespaces + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..bfddaee0f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-namespaces-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces +spec: + policyName: disallow-host-namespaces + validationActions: [Deny] \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..a4f18c9a7 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-path +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-path.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-path + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..bc4e35b83 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..57e77726d --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path +spec: + policyName: disallow-host-path + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..ce67114f4 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports-range +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-ports-range.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-ports-range + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..7888292e9 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports-range + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..9309d1e2f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports-range-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range +spec: + policyName: disallow-host-ports-range + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..4d2dcadd1 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-ports.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-ports + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml index 482abd63e..c56579942 100644 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml @@ -8,6 +8,7 @@ spec: image: busybox:1.35 ports: - hostPort: 8090 + containerPort: 8081 containers: - name: busybox image: busybox:1.35 diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..2dc8a287a --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..0aa2445a4 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports +spec: + policyName: disallow-host-ports + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..4a8b1e6bf --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,41 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-process + labels: + skipForVapAlpha: "" +spec: + # disable templating because it can cause issues with CEL expressions + template: false + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-process.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-process + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml index d6e00d2ed..702ae4aa7 100644 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml @@ -3,6 +3,7 @@ kind: Pod metadata: name: badpod01-new spec: + hostNetwork: true initContainers: - name: busybox01-init image: busybox:1.35 @@ -14,15 +15,19 @@ spec: image: busybox:1.35 securityContext: windowsOptions: - hostProcess: false + hostProcess: true - name: busybox02 image: busybox:1.35 + securityContext: + windowsOptions: + hostProcess: true --- apiVersion: v1 kind: Pod metadata: name: badpod02-new spec: + hostNetwork: true containers: - name: busybox01 image: busybox:1.35 @@ -35,6 +40,7 @@ kind: Pod metadata: name: badpod03-new spec: + hostNetwork: true containers: - name: busybox01 image: busybox:1.35 @@ -43,6 +49,9 @@ spec: hostProcess: true - name: busybox02 image: busybox:1.35 + securityContext: + windowsOptions: + hostProcess: true --- apiVersion: v1 kind: Pod diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..0d324af7c --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-process + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..a3830e18f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-process-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process +spec: + policyName: disallow-host-process + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..1dd5111e9 --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privileged-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-privileged-containers.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-privileged-containers + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..a80d20a5b --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privileged-containers + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..cdb51c322 --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privileged-containers-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers +spec: + policyName: disallow-privileged-containers + validationActions: [Deny] diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..ee430dc4b --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-seccomp.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-seccomp + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..680526965 --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..c433eae2c --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp +spec: + policyName: restrict-seccomp + validationActions: [Deny] diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..202aaf42b --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-sysctls +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-sysctls.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-sysctls + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vap-assert.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..cd0a7c3b5 --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-sysctls + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..ab2618e79 --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-sysctls-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls +spec: + policyName: restrict-sysctls + validationActions: [Deny] diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..f96084d00 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privilege-escalation +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-privilege-escalation.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-privilege-escalation + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vap-assert.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..6e49f5ca4 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privilege-escalation + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..775ba1c20 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privilege-escalation-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation +spec: + policyName: disallow-privilege-escalation + validationActions: [Deny] diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..528160b3b --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-non-root-user +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-run-as-non-root-user.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-run-as-non-root-user + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vap-assert.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..11bdd12e0 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-non-root-user + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..7ca54c314 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-non-root-user-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user +spec: + policyName: require-run-as-non-root-user + validationActions: [Deny] diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..8c4149e4d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-nonroot +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-run-as-nonroot.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-run-as-nonroot + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vap-assert.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..66522489d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-nonroot + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..90532450d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-nonroot-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot +spec: + policyName: require-run-as-nonroot + validationActions: [Deny] diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..82b754cf3 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp-strict +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-seccomp-strict.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-seccomp-strict + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vap-assert.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..c7777ba12 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp-strict + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..77f46283c --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp-strict-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict +spec: + policyName: restrict-seccomp-strict + validationActions: [Deny] diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..938965a80 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,42 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-volume-types.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-volume-types + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: vap-assert.yaml + - assert: + file: vapbinding-assert.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns + diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vap-assert.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vap-assert.yaml new file mode 100644 index 000000000..a3912548a --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vap-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-volume-types + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vapbinding-assert.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vapbinding-assert.yaml new file mode 100644 index 000000000..e1b60d25f --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vapbinding-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-volume-types-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types +spec: + policyName: restrict-volume-types + validationActions: [Deny]