Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add other policies in CEL expressions - Part 6 #970

Merged
merged 50 commits into from
Jun 6, 2024
Merged

feat: add other policies in CEL expressions - Part 6 #970

merged 50 commits into from
Jun 6, 2024

Conversation

Chandan-DK
Copy link
Contributor

@Chandan-DK Chandan-DK commented Apr 17, 2024
edited

Related Issue(s)

Partially addresses #891

Description

This PR includes the conversion of policies in the other folder to Kyverno CEL policies. Conversion of the policies is done in multiple PRs

Policies converted in this PR:

  • restrict-loadbalancer
  • restrict-networkpolicy-empty-podselector
  • restrict-node-affinity
  • restrict-sa-automount-sa-token
  • restrict-secret-role-verbs
  • restrict-secrets-by-name
  • restrict-service-port-range
  • restrict-storageclass
  • restrict-usergroup-fsgroup-id
  • restrict-wildcard-resources
  • restrict-wildcard-verbs

Checklist

  • [] I have read the policy contribution guidelines.
  • [] I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • [] I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@Chandan-DK
add CI test for directories starting with res in other-cel
88fde63 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-loadbalancer
7660980 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-loadbalancer
023a3f2 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-networkpolicy-empty-podselector
485b8fa 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-networkpolicy-empty-podselector
d257586 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-node-affinity
7edc5a7 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-node-affinity
a4a63e4 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-sa-automount-sa-token
9abc05f 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-sa-automount-sa-token
74ae9ea 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-secret-role-verbs
af9f166 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for restrict-secret-role-verbs
6a629d7 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-secret-role-verbs
e606f6a 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-service-port-range
68d7113 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-service-port-range
69ed0f8 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-secrets-by-name
8a62492 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-secrets-by-name
f8e2937 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-storageclass
40e64f8 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-storageclass
5e0bdae 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-usergroup-fsgroup-id
725eeed 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for restrict-usergroup-fsgroup-id
73d9791 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-usergroup-fsgroup-id
3bc9784 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-wildcard-resources
33971b7 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for restrict-wildcard-resources
33647b7 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-wildcard-resources
43a8693 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
copy restrict-wildcard-verbs
d48ae01 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests for restrict-wildcard-verbs
480f873 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
convert restrict-wildcard-verbs
51a67ed 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
rename files for clarity
1bb6491 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add new lines at the end of file
91119aa 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK Chandan-DK marked this pull request as ready for review April 21, 2024 15:24
@MariamFahmy98 MariamFahmy98 self-assigned this Apr 23, 2024
@MariamFahmy98 MariamFahmy98 self-requested a review April 23, 2024 15:14
MariamFahmy98
MariamFahmy98 reviewed Jun 3, 2024
View reviewed changes
Copy link
Contributor

@MariamFahmy98 MariamFahmy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it looks good to me. I have just added a minor comment.

other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml Show resolved Hide resolved
@MariamFahmy98
Copy link
Contributor

@Chandan-DK - Could you please resolve the conflicts?

@Chandan-DK
Merge branch 'main' into other-policies-cel-part-6
3bbf7e4 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
fix cel test
2e5841d 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add test case for pod creation without securityContext field
00be8c2 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
handle case where rules is null in restrict-wildcard-verbs
0baf7b9 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add edge cases to chainsaw test for restrict-wildcard-verbs
66138d8 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno tests with edge cases for restrict-wildcard-verbs
88ac835 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
handle case where rules is null for restrict-wildcard-resources
ce86235 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add edge cases to chainsaw tests for restrict-wildcard-resources
15474aa 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
handle case where rules is null for restrict-clusterrole-nodesproxy
81ab935 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add kyverno test with edge cases for restrict-clusterrole-nodesproxy
a25ac37 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add chainsaw edge cases for restrict-clusterrole-nodesproxy
b52fbd6 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
handle case where rules is null in restrict-escalation-verbs-roles
760b816 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add edge case for kyverno tests in restrict-escalation-verbs-roles
17eee49 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add edge cases to chainsaw tests for restrict-escalation-verbs-roles
8bfb6b9 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
handle case where rules is null in restrict-secret-role-verbs
cc59be2 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add edge cases for restrict-secret-role-verbs
369dfa9 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
add edge cases for chainsaw tests in restrict-secret-role-verbs
60c1696 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
rename kyverno test resources
f0b2342 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
elaborate comment
08b12b5 
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
@Chandan-DK
Copy link
Contributor Author

While resolving the merge conflict caused due to PR #1025, I realized that a Role and ClusterRole can be created by either omitting or keeping rules empty (https://github.com/kyverno/policies/pull/1025/files#diff-d8ebec1f6fac7038fbd1ecdea4d1797a84639e2fc96377af0537e5bc074fa200R1-R24). When it is created in this manner in the cluster, it will be set to rules: null by default. I've modified the policies to account for this behaviour and I've added for tests it.

@MariamFahmy98
Copy link
Contributor

While resolving the merge conflict caused due to PR #1025, I realized that a Role and ClusterRole can be created by either omitting or keeping rules empty (https://github.com/kyverno/policies/pull/1025/files#diff-d8ebec1f6fac7038fbd1ecdea4d1797a84639e2fc96377af0537e5bc074fa200R1-R24). When it is created in this manner in the cluster, it will be set to rules: null by default. I've modified the policies to account for this behaviour and I've added for tests it.

Good catch.

@MariamFahmy98 MariamFahmy98 merged commit 35b992d into kyverno:main Jun 6, 2024
185 checks passed
@Chandan-DK Chandan-DK deleted the other-policies-cel-part-6 branch June 6, 2024 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MariamFahmy98 MariamFahmy98 MariamFahmy98 approved these changes

Assignees

@MariamFahmy98 MariamFahmy98

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Chandan-DK @MariamFahmy98