Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: test VAPs generated by pod security cel policies #1006

Draft
wants to merge 28 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
a3a727d
setup vap generation in CI for testing
Chandan-DK May 14, 2024
327fae0
add vap tests for disallow-capabilities
Chandan-DK May 14, 2024
a95d18d
add vap tests for disallow-host-namespaces
Chandan-DK May 14, 2024
5414f2d
add vap tests for rest of baseline policies
Chandan-DK May 17, 2024
90eb891
add vap tests for restricted policies
Chandan-DK May 17, 2024
d7e07b0
Merge branch 'main' into pod-security-cel-test-generated-vaps
Chandan-DK May 17, 2024
07320ff
set timeout to 60s
Chandan-DK May 17, 2024
bbf05f4
use assert in vap file names
Chandan-DK May 18, 2024
564217c
Merge branch 'main' into pod-security-cel-test-generated-vaps
chipzoller Jul 14, 2024
2ce1dae
Merge branch 'main' into pod-security-cel-test-generated-vaps
chipzoller Jul 23, 2024
5f89802
Merge branch 'main' into pod-security-cel-test-generated-vaps
Chandan-DK Aug 1, 2024
992afa9
add composite action for installing crds
Chandan-DK Aug 1, 2024
d5224c2
add composite action to wait for kyverno to become ready
Chandan-DK Aug 1, 2024
1b0e34b
add test-file input for run-tests action and reference actions in set…
Chandan-DK Aug 1, 2024
c7501b2
add job for vaps
Chandan-DK Aug 1, 2024
78c1073
add bash shell to actions
Chandan-DK Aug 1, 2024
a247385
remove --no-color flag
Chandan-DK Aug 1, 2024
978d8df
Merge branch 'main' into pod-security-cel-test-generated-vaps
Chandan-DK Aug 15, 2024
1848a6a
test vaps above kubernetes vesrion 1.28
Chandan-DK Aug 24, 2024
1f579a8
use vap beta
Chandan-DK Aug 24, 2024
e5b18bc
remove applying the ns in chainsaw test as it is not needed
Chandan-DK Aug 24, 2024
ac409d9
enable templating in disallow-host-process
Chandan-DK Aug 24, 2024
2a12958
(fix chainsaw test): hostNetwork must be true if any container has ho…
Chandan-DK Aug 24, 2024
7f05483
use containerPort to avoid this error (Pod "badpod01-new" is invalid:…
Chandan-DK Aug 24, 2024
2d79945
skip running vap tests for policies with variables when K8s version i…
Chandan-DK Aug 24, 2024
41a39c8
disable templating in disallow-host-namespaces
Chandan-DK Aug 25, 2024
c743e5b
Merge branch 'main' into pod-security-cel-test-generated-vaps
JimBugwadia Aug 26, 2024
7833593
Merge branch 'main' into pod-security-cel-test-generated-vaps
JimBugwadia Aug 27, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/actions/install-crds/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
name: "Install CRDs"
description: "Installs all CRDs for chainsaw tests"
runs:
using: "composite"
steps:
- name: Install CRDs
shell: bash
run: |
set -e
kubectl apply -f ./.chainsaw/crds
18 changes: 17 additions & 1 deletion .github/actions/run-tests/action.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
name: "Runs E2E Tests"
description: "Runs E2E tests using chainsaw"
inputs:
k8s-version:
description: "Kubernetes version"
required: false
tests:
description: "Test regex"
required: true
test-file:
description: "Name of the chainsaw test file"
default: chainsaw-test
runs:
using: "composite"
steps:
Expand All @@ -13,4 +19,14 @@ runs:
shell: bash
run: |
set -e
chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false

K8S_VERSION="${{ inputs.k8s-version }}"
TEST_FILE="${{ inputs.test-file }}"
TESTS="${{ inputs.tests }}"

if [[ "$TEST_FILE" == "chainsaw-test-vap" && -n "$K8S_VERSION" ]] &&
[[ "$K8S_VERSION" == "v1.26."* || "$K8S_VERSION" == "v1.27."* ]]; then
chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false --selector='!skipForVapAlpha'
else
chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --test-file='${{ inputs.test-file }}' --no-color=false
fi
10 changes: 2 additions & 8 deletions .github/actions/setup-env/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,6 @@ runs:
set -e
kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
- name: Wait for kyverno ready
shell: bash
run: |
set -e
kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
uses: ./.github/actions/wait-for-kyverno-ready
- name: Install CRDs
shell: bash
run: |
set -e
kubectl apply -f ./.chainsaw/crds
uses: ./.github/actions/install-crds
10 changes: 10 additions & 0 deletions .github/actions/wait-for-kyverno-ready/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
name: "Wait for Kyverno To Become Ready"
description: "Waits for Kyverno to become ready before running chainsaw tests"
runs:
using: "composite"
steps:
- name: Wait for kyverno ready
shell: bash
run: |
set -e
kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
name: kyverno:generate-validatingadmissionpolicy
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- update
- delete
- list
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/bash

set -e

echo -e "\nDownloading the latest Kyverno installation YAML file..."
wget -O install-latest-testing.yaml https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml

echo -e "\nEnabling Validating Admission Policy generation..."
sed -i 's/--generateValidatingAdmissionPolicy=false/--generateValidatingAdmissionPolicy=true/g' ./install-latest-testing.yaml

echo -e "\nInstalling Kyverno in the cluster..."
kubectl create -f ./install-latest-testing.yaml

echo -e "\nGranting permissions to Kyverno for VAP generation..."
kubectl create -f ./.github/scripts/config/generate-validating-admission-policy/generate-vap-cr.yaml
11 changes: 11 additions & 0 deletions .github/scripts/config/kind/vap-v1alpha1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
ValidatingAdmissionPolicy: true
runtimeConfig:
admissionregistration.k8s.io/v1alpha1: true
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker
12 changes: 12 additions & 0 deletions .github/scripts/config/kind/vap-v1beta1.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
ValidatingAdmissionPolicy: true
runtimeConfig:
admissionregistration.k8s.io/v1beta1: true
admissionregistration.k8s.io/v1alpha1: true
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker
70 changes: 70 additions & 0 deletions .github/workflows/cel-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,73 @@ jobs:
uses: ./.github/actions/run-tests
with:
tests: ${{ matrix.tests }}

validatingadmissionpolicies-v1alpha1:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
k8s-version:
- name: v1.27
version: v1.27.13
tests:
- ^pod-security-cel$
name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version.version }}
cluster_name: kind
config: ./.github/scripts/config/kind/vap-v1alpha1.yaml
- name: Install latest kyverno with VAP generation enabled
run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh
- name: Wait for kyverno ready
uses: ./.github/actions/wait-for-kyverno-ready
- name: Install CRDs
uses: ./.github/actions/install-crds
- name: Run VAP tests
uses: ./.github/actions/run-tests
with:
tests: ${{ matrix.tests }}
test-file: chainsaw-test-vap
k8s-version: ${{ matrix.k8s-version.version }}

validatingadmissionpolicies-tests-above-1-28:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
k8s-version:
- name: v1.28
version: v1.28.9
- name: v1.29
version: v1.29.4
- name: v1.30
version: v1.30.0
tests:
- ^pod-security-cel$
name: ${{ matrix.k8s-version.name }} - validating-admission-policies - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version.version }}
cluster_name: kind
config: ./.github/scripts/config/kind/vap-v1beta1.yaml
- name: Install latest kyverno with VAP generation enabled
run: ./.github/scripts/config/generate-validating-admission-policy/install-kyverno.sh
- name: Wait for kyverno ready
uses: ./.github/actions/wait-for-kyverno-ready
- name: Install CRDs
uses: ./.github/actions/install-crds
- name: Run VAP tests
uses: ./.github/actions/run-tests
with:
tests: ${{ matrix.tests }}
test-file: chainsaw-test-vap
k8s-version: ${{ matrix.k8s-version.version }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: disallow-capabilities
spec:
steps:
- name: step-01
try:
- apply:
file: ../disallow-capabilities.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-capabilities
spec:
validationFailureAction: Enforce
- assert:
file: policy-ready.yaml
- name: step-02
try:
- assert:
file: vap-assert.yaml
- assert:
file: vapbinding-assert.yaml
- name: step-03
try:
- apply:
file: pod-good.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-bad.yaml

Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-capabilities
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-capabilities
spec:
failurePolicy: Fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-capabilities-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-capabilities
spec:
policyName: disallow-capabilities
validationActions: [Deny]
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: disallow-host-namespaces
spec:
# disable templating because it can cause issues with CEL expressions
template: false
steps:
- name: step-01
try:
- apply:
file: ../disallow-host-namespaces.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-namespaces
spec:
validationFailureAction: Enforce
- assert:
file: policy-ready.yaml
- name: step-02
try:
- assert:
file: vap-assert.yaml
- assert:
file: vapbinding-assert.yaml
- name: step-03
try:
- apply:
file: pod-good.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-bad.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-namespaces
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-namespaces
spec:
failurePolicy: Fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-namespaces-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-namespaces
spec:
policyName: disallow-host-namespaces
validationActions: [Deny]
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: disallow-host-path
spec:
steps:
- name: step-01
try:
- apply:
file: ../disallow-host-path.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path
spec:
validationFailureAction: Enforce
- assert:
file: policy-ready.yaml
- name: step-02
try:
- assert:
file: vap-assert.yaml
- assert:
file: vapbinding-assert.yaml
- name: step-03
try:
- apply:
file: pod-good.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-bad.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-path
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path
spec:
failurePolicy: Fail
Loading
Loading