Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add other policies in CEL expressions - Part 1 #946

Merged
merged 36 commits into from
May 15, 2024
Merged

feat: add other policies in CEL expressions - Part 1 #946

merged 36 commits into from
May 15, 2024

Conversation

Chandan-DK
Copy link
Contributor

@Chandan-DK Chandan-DK commented Mar 18, 2024
edited

Related Issue(s)

Partially addresses #891

Description

This PR includes the conversion of policies in the other folder to Kyverno CEL policies. Conversion of the policies will be done in multiple PRs

Policies converted in this PR:

  • allowed-annotations
  • allowed-pod-priorities
  • block-ephemeral-containers
  • check-env-vars
  • check-node-for-cve-2022-0185
  • check-serviceaccount-secrets
  • deny-secret-service-account-token-type
  • disallow-all-secrets
  • disallow-localhost-services
  • disallow-secrets-from-env-vars
  • docker-socket-requires-label

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@Chandan-DK
copy allowed-annotations
d8d97d1 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert allowed-annotations to cel
694bee5 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add CI test for directories starting with a in other-cel folder
17544e1 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
Merge branch 'main' into other-policies-cel-part-1
bce06e1
@Chandan-DK
copy allowed-pod-priorities
d479769 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert allowed-pod-priorities to cel
d88f1f0 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy block-ephemeral-containers
7252230 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert block-ephemeral-containers to cel
9d45ca0 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add CI test for directories starting with b in other-cel folder
ea63ef2 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy check-env-vars
8baf31d 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert check-env-vars to cel
e9f2716 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy check-serviceaccount-secrets
486cb1d 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert check-serviceaccount-secrets to cel
ceece5c 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add CI test for directories starting with b to d in other-cel folder
d691d7b 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy check-node-for-cve-2022-0185
f284a73 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert check-node-for-cve-2022-0185
4a892f6 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy deny-secret-service-account-token-type
12cb860 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert deny-secret-service-account-token-type to cel
c6f9fbc 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-all-secrets
a4ad77c 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-all-secrets to cel
80f241c 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-localhost-services
a76048b 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-localhost-services to cel
ec7e6b6 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy disallow-secrets-from-env-vars
2bcc5c3 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert disallow-secrets-from-env-vars to cel
107816e 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@MariamFahmy98 MariamFahmy98 self-requested a review March 25, 2024 17:32
@MariamFahmy98 MariamFahmy98 self-assigned this Mar 25, 2024
MariamFahmy98
MariamFahmy98 reviewed Mar 26, 2024
View reviewed changes
Copy link
Contributor

@MariamFahmy98 MariamFahmy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a missing kyverno test in the allowed-pod-priorities and block-ephemeral-containers.

other/deny-secret-service-account-token-type/artifacthub-pkg.yaml Outdated Show resolved Hide resolved
other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml Outdated Show resolved Hide resolved
other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml Outdated Show resolved Hide resolved
other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml Show resolved Hide resolved
@Chandan-DK
add ServiceAccount to the subject in annotations
548d800 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
Copy link
Contributor Author

There is a missing kyverno test in the allowed-pod-priorities and block-ephemeral-containers.

We can't have kyverno tests for allowed-pod-priorities at the moment because support for parameter resources in CLI tests has to be added (Issue)

@Chandan-DK
copy docker-socket-requires-label
4cc921d 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert docker-socket-requires-label to cel
c410a45 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
rename files for clarity
f9af000 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
use autogen for higher level controllers
4b38e95 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for block-ephemeral-containers
3d0faf1 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
use autogen in allowed-pod-priorities kyverno policy
20563d9 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
Merge branch 'main' into other-policies-cel-part-1
d5fac4f
@Chandan-DK Chandan-DK marked this pull request as ready for review March 30, 2024 17:31
@Chandan-DK
add new lines at the end of files
192245f 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@MariamFahmy98
Copy link
Contributor

It seems that there are some flake tests. Could you please check?

@Chandan-DK
Copy link
Contributor Author

Sure. Will take a look soon

MariamFahmy98
MariamFahmy98 approved these changes Apr 22, 2024
View reviewed changes
Copy link
Contributor

@MariamFahmy98 MariamFahmy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thank you!

@JimBugwadia
Copy link
Member

@Chandan-DK - can you please help resolve the conflicts?

@Chandan-DK
Copy link
Contributor Author

@Chandan-DK - can you please help resolve the conflicts?

Sure 👍

@Chandan-DK
Merge branch 'main' into other-policies-cel-part-1
065e052 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
Copy link
Contributor Author

The conflicts have been resolved

@JimBugwadia JimBugwadia merged commit 8e31d60 into kyverno:main May 15, 2024
159 checks passed
@Chandan-DK Chandan-DK deleted the other-policies-cel-part-1 branch May 15, 2024 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MariamFahmy98 MariamFahmy98 MariamFahmy98 approved these changes

Assignees

@MariamFahmy98 MariamFahmy98

Labels
None yet
Projects
Good First Issues
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Chandan-DK @MariamFahmy98 @JimBugwadia