From a3a727d70e0d8947fd815b56fa6b2e75660bd28c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 14 May 2024 19:03:33 +0000 Subject: [PATCH 01/21] setup vap generation in CI for testing Signed-off-by: Chandan-DK --- .../generate-vap-cr.yaml | 19 +++++ .../install-kyverno.sh | 15 ++++ .github/scripts/config/kind/vap-v1alpha1.yaml | 11 +++ .github/scripts/config/kind/vap-v1beta1.yaml | 12 +++ .github/workflows/test.yml | 76 +++++++++++++++++++ 5 files changed, 133 insertions(+) create mode 100644 .github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml create mode 100755 .github/scripts/config/generate-validating-admission-policy/install-kyverno.sh create mode 100644 .github/scripts/config/kind/vap-v1alpha1.yaml create mode 100644 .github/scripts/config/kind/vap-v1beta1.yaml diff --git a/.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml b/.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml new file mode 100644 index 000000000..d05d01809 --- /dev/null +++ b/.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:generate-validatingadmissionpolicy +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingadmissionpolicies + - validatingadmissionpolicybindings + verbs: + - create + - update + - delete + - list diff --git a/.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh b/.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh new file mode 100755 index 000000000..5385560f9 --- /dev/null +++ b/.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -e + +echo -e "\nDownloading the latest Kyverno installation YAML file..." +wget -O install-latest-testing.yaml https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml + +echo -e "\nEnabling Validating Admission Policy generation..." +sed -i 's/--generateValidatingAdmissionPolicy=false/--generateValidatingAdmissionPolicy=true/g' ./install-latest-testing.yaml + +echo -e "\nInstalling Kyverno in the cluster..." +kubectl create -f ./install-latest-testing.yaml + +echo -e "\nGranting permissions to Kyverno for VAP generation..." +kubectl create -f ./.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml diff --git a/.github/scripts/config/kind/vap-v1alpha1.yaml b/.github/scripts/config/kind/vap-v1alpha1.yaml new file mode 100644 index 000000000..a32c5fab0 --- /dev/null +++ b/.github/scripts/config/kind/vap-v1alpha1.yaml @@ -0,0 +1,11 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1alpha1: true +nodes: + - role: control-plane + - role: worker + - role: worker + - role: worker \ No newline at end of file diff --git a/.github/scripts/config/kind/vap-v1beta1.yaml b/.github/scripts/config/kind/vap-v1beta1.yaml new file mode 100644 index 000000000..42610882e --- /dev/null +++ b/.github/scripts/config/kind/vap-v1beta1.yaml @@ -0,0 +1,12 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1beta1: true + admissionregistration.k8s.io/v1alpha1: true +nodes: + - role: control-plane + - role: worker + - role: worker + - role: worker \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bc7253b02..3ad216aa4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -112,3 +112,79 @@ jobs: run: | set -e chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false + + validatingadmissionpolicies-v1alpha1: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.27 + version: v1.27.10 + tests: + - ^pod-security-cel$ + name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} + steps: + - name: Checkout repo + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./.github/scripts/config/kind/vap-v1alpha1.yaml + - name: Install latest kyverno with VAP generation enabled + run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh + - name: Wait for kyverno ready + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s + - name: Install CRDs + run: | + set -e + kubectl apply -f ./.chainsaw/crds + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@748066cc1580718e7924c9b689a8d366bde05100 # v0.2.0 + - name: Test with Chainsaw + run: | + set -e + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --test-file='chainsaw-test-vap' --no-color=false + + k8s-version-specific-tests-above-1-28: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.28 + version: v1.28.7 + - name: v1.29 + version: v1.29.2 + tests: + - ^pod-security-cel$ + name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} + steps: + - name: Checkout repo + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./.github/scripts/config/kind/vap-v1beta1.yaml + - name: Install latest kyverno with VAP generation enabled + run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh + - name: Wait for kyverno ready + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s + - name: Install CRDs + run: | + set -e + kubectl apply -f ./.chainsaw/crds + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@748066cc1580718e7924c9b689a8d366bde05100 # v0.2.0 + - name: Test with Chainsaw + run: | + set -e + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --test-file='chainsaw-test-vap' --no-color=false \ No newline at end of file From 327fae00144e26c4fe58365a64a09a332b49ae44 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 14 May 2024 19:51:08 +0000 Subject: [PATCH 02/21] add vap tests for disallow-capabilities Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ 3 files changed, 62 insertions(+) create mode 100644 pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicybinding.yaml diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100644 index 000000000..e633c00f6 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-capabilities.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-capabilities + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..0d5f86026 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-capabilities + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..95ef7298f --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-capabilities-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities +spec: + policyName: disallow-capabilities + validationActions: [Deny] \ No newline at end of file From a95d18d94fe5e8a8ce69d340bcd9e0a0db8b1a16 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 14 May 2024 19:52:41 +0000 Subject: [PATCH 03/21] add vap tests for disallow-host-namespaces Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ 3 files changed, 62 insertions(+) create mode 100755 pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicybinding.yaml diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..a57771849 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-namespaces +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-namespaces.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-namespaces + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..5f1ef76fb --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-namespaces + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces +spec: + failurePolicy: Fail \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..bfddaee0f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-namespaces-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces +spec: + policyName: disallow-host-namespaces + validationActions: [Deny] \ No newline at end of file From 5414f2df94b9da376b300cc3346526cd9bd8fd70 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 17 May 2024 13:14:10 +0000 Subject: [PATCH 04/21] add vap tests for rest of baseline policies Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 ++++++ .../validatingadmissionpolicybinding.yaml | 13 +++++++ 21 files changed, 434 insertions(+) create mode 100755 pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicybinding.yaml diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..45024f594 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-path +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-path.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-path + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..bc4e35b83 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..57e77726d --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path +spec: + policyName: disallow-host-path + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..141100ea7 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports-range +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-ports-range.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-ports-range + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..7888292e9 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports-range + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..9309d1e2f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports-range-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range +spec: + policyName: disallow-host-ports-range + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..68f57d6b7 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-ports.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-ports + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..2dc8a287a --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..0aa2445a4 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-ports-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports +spec: + policyName: disallow-host-ports + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..5380230b0 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-process +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-host-process.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-host-process + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..0d324af7c --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-process + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..a3830e18f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-process-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process +spec: + policyName: disallow-host-process + validationActions: [Deny] diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..4be208475 --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privileged-containers +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-privileged-containers.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-privileged-containers + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..a80d20a5b --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privileged-containers + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..cdb51c322 --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privileged-containers-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers +spec: + policyName: disallow-privileged-containers + validationActions: [Deny] diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..1a0c56df0 --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-seccomp.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-seccomp + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..680526965 --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..c433eae2c --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp +spec: + policyName: restrict-seccomp + validationActions: [Deny] diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..ad8eeba06 --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-sysctls +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-sysctls.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-sysctls + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..cd0a7c3b5 --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-sysctls + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls +spec: + failurePolicy: Fail diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..ab2618e79 --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-sysctls-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls +spec: + policyName: restrict-sysctls + validationActions: [Deny] From 90eb891a109698139c876c06917aa70ce8e0e8e9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 17 May 2024 13:21:46 +0000 Subject: [PATCH 05/21] add vap tests for restricted policies Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test-vap.yaml | 37 ++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 +++++ .../validatingadmissionpolicybinding.yaml | 13 ++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 ++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 +++++ .../validatingadmissionpolicybinding.yaml | 13 ++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 ++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 +++++ .../validatingadmissionpolicybinding.yaml | 13 ++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 37 ++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 +++++ .../validatingadmissionpolicybinding.yaml | 13 ++++++ .../.chainsaw-test/chainsaw-test-vap.yaml | 44 +++++++++++++++++++ .../validatingadmissionpolicy.yaml | 12 +++++ .../validatingadmissionpolicybinding.yaml | 13 ++++++ 15 files changed, 317 insertions(+) create mode 100755 pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicybinding.yaml create mode 100755 pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicy.yaml create mode 100644 pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicybinding.yaml diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..f4be6982c --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privilege-escalation +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disallow-privilege-escalation.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: disallow-privilege-escalation + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..6e49f5ca4 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privilege-escalation + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..775ba1c20 --- /dev/null +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-privilege-escalation-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation +spec: + policyName: disallow-privilege-escalation + validationActions: [Deny] diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..4920df15f --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-non-root-user +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-run-as-non-root-user.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-run-as-non-root-user + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..11bdd12e0 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-non-root-user + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..7ca54c314 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-non-root-user-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user +spec: + policyName: require-run-as-non-root-user + validationActions: [Deny] diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..6a047bbb1 --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-nonroot +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-run-as-nonroot.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-run-as-nonroot + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..66522489d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-nonroot + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..90532450d --- /dev/null +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-run-as-nonroot-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot +spec: + policyName: require-run-as-nonroot + validationActions: [Deny] diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..249602641 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp-strict +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-seccomp-strict.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-seccomp-strict + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..c7777ba12 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp-strict + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..77f46283c --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-seccomp-strict-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict +spec: + policyName: restrict-seccomp-strict + validationActions: [Deny] diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml new file mode 100755 index 000000000..245b12ac6 --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml @@ -0,0 +1,44 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../restrict-volume-types.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-volume-types + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns + diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicy.yaml new file mode 100644 index 000000000..a3912548a --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicy.yaml @@ -0,0 +1,12 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-volume-types + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types +spec: + failurePolicy: Fail diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000..e1b60d25f --- /dev/null +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: restrict-volume-types-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types +spec: + policyName: restrict-volume-types + validationActions: [Deny] From 07320ffcc7ba284031e92c844252ca6819104137 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 17 May 2024 13:24:36 +0000 Subject: [PATCH 06/21] set timeout to 60s Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b3a4a6e84..b6505554b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -142,7 +142,7 @@ jobs: - name: Wait for kyverno ready run: | set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s - name: Install CRDs run: | set -e From bbf05f4451f6d0ed44709badbf3023beb06c9676 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 18 May 2024 11:10:07 +0000 Subject: [PATCH 07/21] use assert in vap file names Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 .../.chainsaw-test/chainsaw-test-vap.yaml | 4 ++-- .../{validatingadmissionpolicy.yaml => vap-assert.yaml} | 0 ...tingadmissionpolicybinding.yaml => vapbinding-assert.yaml} | 0 42 files changed, 28 insertions(+), 28 deletions(-) rename pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-path/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-path/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-process/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-host-process/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) rename pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/{validatingadmissionpolicy.yaml => vap-assert.yaml} (100%) rename pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/{validatingadmissionpolicybinding.yaml => vapbinding-assert.yaml} (100%) diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml index e633c00f6..bc9b948e2 100644 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test-vap.yaml @@ -22,9 +22,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml index a57771849..927963585 100755 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml index 45024f594..a4f18c9a7 100755 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-path/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-host-path/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml index 141100ea7..ce67114f4 100755 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml index 68f57d6b7..4d2dcadd1 100755 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml index 5380230b0..4fea778ba 100755 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-host-process/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-host-process/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml index 4be208475..1dd5111e9 100755 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml index 1a0c56df0..ee430dc4b 100755 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml index ad8eeba06..202aaf42b 100755 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml index f4be6982c..f96084d00 100755 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml index 4920df15f..528160b3b 100755 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml index 6a047bbb1..8c4149e4d 100755 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml index 249602641..82b754cf3 100755 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test-vap.yaml @@ -23,9 +23,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/vapbinding-assert.yaml diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml index 245b12ac6..9495843e9 100755 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml @@ -25,9 +25,9 @@ spec: - name: step-02 try: - assert: - file: validatingadmissionpolicy.yaml + file: vap-assert.yaml - assert: - file: validatingadmissionpolicybinding.yaml + file: vapbinding-assert.yaml - name: step-03 try: - apply: diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicy.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vap-assert.yaml similarity index 100% rename from pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicy.yaml rename to pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vap-assert.yaml diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicybinding.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vapbinding-assert.yaml similarity index 100% rename from pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/validatingadmissionpolicybinding.yaml rename to pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/vapbinding-assert.yaml From 992afa98284a74ada0c45ccf8d003ba1248782de Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 1 Aug 2024 06:45:30 +0000 Subject: [PATCH 08/21] add composite action for installing crds Signed-off-by: Chandan-DK --- .github/actions/install-crds/action.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/actions/install-crds/action.yaml diff --git a/.github/actions/install-crds/action.yaml b/.github/actions/install-crds/action.yaml new file mode 100644 index 000000000..20a2908dc --- /dev/null +++ b/.github/actions/install-crds/action.yaml @@ -0,0 +1,9 @@ +name: "Install CRDs" +description: "Installs all CRDs for chainsaw tests" +runs: + using: "composite" + steps: + - name: Install CRDs + run: | + set -e + kubectl apply -f ./.chainsaw/crds From d5224c208b1ebeb00f0cbf340a7bdd62a419fe89 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 1 Aug 2024 06:45:58 +0000 Subject: [PATCH 09/21] add composite action to wait for kyverno to become ready Signed-off-by: Chandan-DK --- .github/actions/wait-for-kyverno-ready/action.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/actions/wait-for-kyverno-ready/action.yaml diff --git a/.github/actions/wait-for-kyverno-ready/action.yaml b/.github/actions/wait-for-kyverno-ready/action.yaml new file mode 100644 index 000000000..32464f9d8 --- /dev/null +++ b/.github/actions/wait-for-kyverno-ready/action.yaml @@ -0,0 +1,9 @@ +name: "Wait for Kyverno To Become Ready" +description: "Waits for Kyverno to become ready before running chainsaw tests" +runs: + using: "composite" + steps: + - name: Wait for kyverno ready + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s --no-color=false From 1b0e34b4ed22c9d5cff09e48ae9ee55f77f45ab5 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 1 Aug 2024 06:47:26 +0000 Subject: [PATCH 10/21] add test-file input for run-tests action and reference actions in setup-env Signed-off-by: Chandan-DK --- .github/actions/run-tests/action.yaml | 5 ++++- .github/actions/setup-env/action.yaml | 10 ++-------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/actions/run-tests/action.yaml b/.github/actions/run-tests/action.yaml index 9edeebb66..2199ce782 100644 --- a/.github/actions/run-tests/action.yaml +++ b/.github/actions/run-tests/action.yaml @@ -4,6 +4,9 @@ inputs: tests: description: "Test regex" required: true + test-file: + description: "Name of the chainsaw test file" + default: chainsaw-test runs: using: "composite" steps: @@ -13,4 +16,4 @@ runs: shell: bash run: | set -e - chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false diff --git a/.github/actions/setup-env/action.yaml b/.github/actions/setup-env/action.yaml index 8bdbd708a..ef9300f0d 100644 --- a/.github/actions/setup-env/action.yaml +++ b/.github/actions/setup-env/action.yaml @@ -40,12 +40,6 @@ runs: set -e kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml - name: Wait for kyverno ready - shell: bash - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s + uses: ./.github/actions/wait-for-kyverno-ready - name: Install CRDs - shell: bash - run: | - set -e - kubectl apply -f ./.chainsaw/crds + uses: ./.github/actions/install-crds From c7501b22172de1444e4181aec0682a29c8303319 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 1 Aug 2024 06:49:43 +0000 Subject: [PATCH 11/21] add job for vaps Signed-off-by: Chandan-DK --- .github/workflows/cel-test.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml index ec7564140..72caab48b 100644 --- a/.github/workflows/cel-test.yml +++ b/.github/workflows/cel-test.yml @@ -63,3 +63,35 @@ jobs: uses: ./.github/actions/run-tests with: tests: ${{ matrix.tests }} + + validatingadmissionpolicies-v1alpha1: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.27 + version: v1.27.13 + tests: + - ^pod-security-cel$ + name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./.github/scripts/config/kind/vap-v1alpha1.yaml + - name: Install latest kyverno with VAP generation enabled + run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh + - name: Wait for kyverno ready + uses: ./.github/actions/wait-for-kyverno-ready + - name: Install CRDs + uses: ./.github/actions/install-crds + - name: Run VAP tests + uses: ./.github/actions/run-tests + with: + tests: ${{ matrix.tests }} + test-file: chainsaw-test-vap \ No newline at end of file From 78c10733892fff92a5878b039cc5a5095f61197a Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 1 Aug 2024 06:54:06 +0000 Subject: [PATCH 12/21] add bash shell to actions Signed-off-by: Chandan-DK --- .github/actions/install-crds/action.yaml | 1 + .github/actions/wait-for-kyverno-ready/action.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/actions/install-crds/action.yaml b/.github/actions/install-crds/action.yaml index 20a2908dc..8618dc955 100644 --- a/.github/actions/install-crds/action.yaml +++ b/.github/actions/install-crds/action.yaml @@ -4,6 +4,7 @@ runs: using: "composite" steps: - name: Install CRDs + shell: bash run: | set -e kubectl apply -f ./.chainsaw/crds diff --git a/.github/actions/wait-for-kyverno-ready/action.yaml b/.github/actions/wait-for-kyverno-ready/action.yaml index 32464f9d8..ef4b392c6 100644 --- a/.github/actions/wait-for-kyverno-ready/action.yaml +++ b/.github/actions/wait-for-kyverno-ready/action.yaml @@ -4,6 +4,7 @@ runs: using: "composite" steps: - name: Wait for kyverno ready + shell: bash run: | set -e kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s --no-color=false From a24738583022d65c5aadad3a22ed5812f2781fa1 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 1 Aug 2024 07:06:51 +0000 Subject: [PATCH 13/21] remove --no-color flag Signed-off-by: Chandan-DK --- .github/actions/wait-for-kyverno-ready/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/wait-for-kyverno-ready/action.yaml b/.github/actions/wait-for-kyverno-ready/action.yaml index ef4b392c6..65b3e1d73 100644 --- a/.github/actions/wait-for-kyverno-ready/action.yaml +++ b/.github/actions/wait-for-kyverno-ready/action.yaml @@ -7,4 +7,4 @@ runs: shell: bash run: | set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s --no-color=false + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s From 1848a6a52ab8ad05826ed0c8a0d43505afb74021 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 04:41:14 +0000 Subject: [PATCH 14/21] test vaps above kubernetes vesrion 1.28 Signed-off-by: Chandan-DK --- .github/workflows/cel-test.yml | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml index 72caab48b..c13aa8578 100644 --- a/.github/workflows/cel-test.yml +++ b/.github/workflows/cel-test.yml @@ -75,6 +75,42 @@ jobs: tests: - ^pod-security-cel$ name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./.github/scripts/config/kind/vap-v1alpha1.yaml + - name: Install latest kyverno with VAP generation enabled + run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh + - name: Wait for kyverno ready + uses: ./.github/actions/wait-for-kyverno-ready + - name: Install CRDs + uses: ./.github/actions/install-crds + - name: Run VAP tests + uses: ./.github/actions/run-tests + with: + tests: ${{ matrix.tests }} + test-file: chainsaw-test-vap + + validatingadmissionpolicies-tests-above-1-28: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - ^pod-security-cel$ + name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 From 1f579a880f65272c16a3e6fd73de6b2ff90ea6fe Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 04:50:33 +0000 Subject: [PATCH 15/21] use vap beta Signed-off-by: Chandan-DK --- .github/workflows/cel-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml index c13aa8578..87b11011d 100644 --- a/.github/workflows/cel-test.yml +++ b/.github/workflows/cel-test.yml @@ -119,7 +119,7 @@ jobs: with: node_image: kindest/node:${{ matrix.k8s-version.version }} cluster_name: kind - config: ./.github/scripts/config/kind/vap-v1alpha1.yaml + config: ./.github/scripts/config/kind/vap-v1beta1.yaml - name: Install latest kyverno with VAP generation enabled run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh - name: Wait for kyverno ready From e5b18bcafb703cc88f08937455568a4f27387107 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 08:47:48 +0000 Subject: [PATCH 16/21] remove applying the ns in chainsaw test as it is not needed Signed-off-by: Chandan-DK --- .../restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml index 9495843e9..938965a80 100755 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test-vap.yaml @@ -8,8 +8,6 @@ spec: steps: - name: step-01 try: - - apply: - file: ns.yaml - apply: file: ../restrict-volume-types.yaml - patch: From ac409d9827eefc91c37a5eaf21945fed7383d22b Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 09:07:47 +0000 Subject: [PATCH 17/21] enable templating in disallow-host-process Signed-off-by: Chandan-DK --- .../disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml index 4fea778ba..cd11e28b0 100755 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml @@ -5,6 +5,8 @@ metadata: creationTimestamp: null name: disallow-host-process spec: + # disable templating because it can cause issues with CEL expressions + template: false steps: - name: step-01 try: From 2a1295869767c81d9d5b7a5d5343907bebb269e1 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 09:32:08 +0000 Subject: [PATCH 18/21] (fix chainsaw test): hostNetwork must be true if any container has hostProcess set to true and if any container has hostProcess set to true all the containers must have it too (see comment for the error that would be generated otherwise) [spec: Invalid value: "": If pod contains any hostProcess containers then all containers must be HostProcess containers, spec.hostNetwork: Invalid value: false: hostNetwork must be true if pod contains any hostProcess containers] Signed-off-by: Chandan-DK --- .../disallow-host-process/.chainsaw-test/pod-bad.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml index d6e00d2ed..702ae4aa7 100644 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml @@ -3,6 +3,7 @@ kind: Pod metadata: name: badpod01-new spec: + hostNetwork: true initContainers: - name: busybox01-init image: busybox:1.35 @@ -14,15 +15,19 @@ spec: image: busybox:1.35 securityContext: windowsOptions: - hostProcess: false + hostProcess: true - name: busybox02 image: busybox:1.35 + securityContext: + windowsOptions: + hostProcess: true --- apiVersion: v1 kind: Pod metadata: name: badpod02-new spec: + hostNetwork: true containers: - name: busybox01 image: busybox:1.35 @@ -35,6 +40,7 @@ kind: Pod metadata: name: badpod03-new spec: + hostNetwork: true containers: - name: busybox01 image: busybox:1.35 @@ -43,6 +49,9 @@ spec: hostProcess: true - name: busybox02 image: busybox:1.35 + securityContext: + windowsOptions: + hostProcess: true --- apiVersion: v1 kind: Pod From 7f054835df2230281df660d1950d841d8bcfee78 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 09:44:00 +0000 Subject: [PATCH 19/21] use containerPort to avoid this error (Pod "badpod01-new" is invalid: spec.initContainers[0].ports[0].containerPort: Required value) in disallow-host-ports Signed-off-by: Chandan-DK --- .../baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml index 482abd63e..c56579942 100644 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml @@ -8,6 +8,7 @@ spec: image: busybox:1.35 ports: - hostPort: 8090 + containerPort: 8081 containers: - name: busybox image: busybox:1.35 From 2d799455b9c729828bc34e09ccd070f83c2f7417 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sat, 24 Aug 2024 18:01:52 +0000 Subject: [PATCH 20/21] skip running vap tests for policies with variables when K8s version is 1.27 or 1.26 Signed-off-by: Chandan-DK --- .github/actions/run-tests/action.yaml | 15 ++++++++++++++- .github/workflows/cel-test.yml | 4 +++- .../.chainsaw-test/chainsaw-test-vap.yaml | 2 ++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/actions/run-tests/action.yaml b/.github/actions/run-tests/action.yaml index c8ba428d0..a24e3ea54 100644 --- a/.github/actions/run-tests/action.yaml +++ b/.github/actions/run-tests/action.yaml @@ -1,6 +1,9 @@ name: "Runs E2E Tests" description: "Runs E2E tests using chainsaw" inputs: + k8s-version: + description: "Kubernetes version" + required: false tests: description: "Test regex" required: true @@ -16,4 +19,14 @@ runs: shell: bash run: | set -e - chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false + + K8S_VERSION="${{ inputs.k8s-version }}" + TEST_FILE="${{ inputs.test-file }}" + TESTS="${{ inputs.tests }}" + + if [[ "$TEST_FILE" == "chainsaw-test-vap" && -n "$K8S_VERSION" ]] && + [[ "$K8S_VERSION" == "v1.26."* || "$K8S_VERSION" == "v1.27."* ]]; then + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false --selector='!skipForVapAlpha' + else + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false + fi diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml index 87b11011d..fa9d66990 100644 --- a/.github/workflows/cel-test.yml +++ b/.github/workflows/cel-test.yml @@ -95,6 +95,7 @@ jobs: with: tests: ${{ matrix.tests }} test-file: chainsaw-test-vap + k8s-version: ${{ matrix.k8s-version.version }} validatingadmissionpolicies-tests-above-1-28: runs-on: ubuntu-latest @@ -130,4 +131,5 @@ jobs: uses: ./.github/actions/run-tests with: tests: ${{ matrix.tests }} - test-file: chainsaw-test-vap \ No newline at end of file + test-file: chainsaw-test-vap + k8s-version: ${{ matrix.k8s-version.version }} \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml index cd11e28b0..4a8b1e6bf 100755 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test-vap.yaml @@ -4,6 +4,8 @@ kind: Test metadata: creationTimestamp: null name: disallow-host-process + labels: + skipForVapAlpha: "" spec: # disable templating because it can cause issues with CEL expressions template: false From 41a39c870da4037364cca1758bb6b673d17ed08b Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 25 Aug 2024 04:36:08 +0000 Subject: [PATCH 21/21] disable templating in disallow-host-namespaces Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test-vap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml index 927963585..3f03b402f 100755 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test-vap.yaml @@ -5,6 +5,8 @@ metadata: creationTimestamp: null name: disallow-host-namespaces spec: + # disable templating because it can cause issues with CEL expressions + template: false steps: - name: step-01 try: