Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add miscellaneous policies in CEL expressions - Part 3 #1028

Merged
merged 47 commits into from
Jul 15, 2024
Merged

feat: add miscellaneous policies in CEL expressions - Part 3 #1028

merged 47 commits into from
Jul 15, 2024

Conversation

Chandan-DK
Copy link
Contributor

@Chandan-DK Chandan-DK commented May 22, 2024
edited

Related Issue(s)

Partially addresses #891

This PR includes the conversion of policies in the following folders:

  • linkerd
  • nginx-ingress
  • openshift
  • psa
  • traefik

Description

Policies converted in this PR:

linkerd

  • prevent-linkerd-pod-injection-override
  • prevent-linkerd-port-skipping
  • require-linkerd-mesh-injection

nginx-ingress

  • disallow-ingress-nginx-custom-snippets
  • restrict-annotations
  • restrict-ingress-paths

openshift

  • check-routes
  • disallow-deprecated-apis
  • disallow-jenkins-pipeline-strategy
  • disallow-security-context-constraint-anyuid
  • enforce-etcd-encryption

psa

  • add-psa-namespace-reporting
  • deny-privileged-profile

traefik

  • disallow-default-tlsoptions

Checklist

  • [] I have read the policy contribution guidelines.
  • [] I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • [] I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@Chandan-DK
copy prevent-linkerd-pod-injection-override
720bc92 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for prevent-linkerd-pod-injection-override
4f6ca0c 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert prevent-linkerd-pod-injection-override
a74d10b 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add metadata section to template
dcd4ac5 
This is done in order to avoid no such key: metadata error in the
kyverno tests for the cel policy

Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for prevent-linkerd-pod-injection-override in regul…
6ac7add 
…ar policy

Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy prevent-linkerd-port-skipping
51af207 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
correct invalid chainsaw test resources to remove errors
66b483f 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests
562b82d 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert prevent-linkerd-port-skipping
a14f7f8 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy require-linkerd-mesh-injection
d7003ed 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for require-linkerd-mesh-injection
a7ffe1e 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert require-linkerd-mesh-injection
7acd066 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-ingress-nginx-custom-snippets
63a28e7 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-ingress-nginx-custom-snippets
7cffb72 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-annotations
9321063 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-annotations
afc2fea 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-ingress-paths
abd6ab4 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno test for one more failing condition
0e01161 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-ingress-paths
2788e16 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy check-routes
5d7f145 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert check-routes
bc9172f 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-deprecated-apis/
07e3081 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-deprecated-apis
6d334db 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-default-tlsoptions
9616cff 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-default-tlsoptions
63d317e 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy add-psa-namespace-reporting
4dd272d 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert add-psa-namespace-reporting
f83665c 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy deny-privileged-profile
184576b 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert deny-privileged-profile
03609a0 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for deny-privileged-profile
f3a3ca9 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-jenkins-pipeline-strategy
2815aa5 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-jenkins-pipeline-strategy
a7d95dd 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-security-context-constraint-anyuid
ca7ed59 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-security-context-constraint-anyuid
6512fba 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy openshift-cel/disallow-self-provisioner-binding
77095fa 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-self-provisioner-binding
5c66f1f 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy enforce-etcd-encryption
07f18b6 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert enforce-etcd-encryption
4343afc 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add CI tests for cel policies
5c9058e 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
remove comments for CI tests
bb83cb3 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
rename files for clarity
edf8a45 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
Merge branch 'main' into miscellaneous-policies-cel-part-3
34869cf
@Chandan-DK Chandan-DK marked this pull request as ready for review May 22, 2024 11:50
@Chandan-DK Chandan-DK mentioned this pull request May 22, 2024
Merged
3 tasks
@MariamFahmy98 MariamFahmy98 self-requested a review May 22, 2024 16:43
@MariamFahmy98 MariamFahmy98 self-assigned this May 22, 2024
@MariamFahmy98 MariamFahmy98 merged commit 5bfc1aa into kyverno:main Jul 15, 2024
5 checks passed
@Chandan-DK Chandan-DK deleted the miscellaneous-policies-cel-part-3 branch July 15, 2024 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MariamFahmy98 MariamFahmy98 MariamFahmy98 approved these changes

Assignees

@MariamFahmy98 MariamFahmy98

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Chandan-DK @MariamFahmy98