diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index cf515dac..2a8f899b 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -94,7 +94,9 @@ jobs: - name: Install Kyverno run: | helm repo add kyverno https://kyverno.github.io/kyverno/ - helm install kyverno kyverno/kyverno -n kyverno --create-namespace --version 3.1.4 + helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.1.4 + timeout 60 /bin/bash -c 'until kubectl get pods -n kyverno -l app.kubernetes.io/component=admission-controller -o jsonpath="{.items[0].status.phase}" | grep Running ; do echo "Waiting for Kyverno" ; sleep 10 ; done' + sleep 60 - name: Install cert-manager if: matrix.chart == 'paas' run: | @@ -111,3 +113,4 @@ jobs: kubectl describe pod -A kubectl describe service -A kubectl describe daemonset -A + kubectl logs -n kyverno -l app.kubernetes.io/component=admission-controller diff --git a/Makefile b/Makefile index 93268ed7..5e245fdd 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ kyverno-copy-policies: $(KYVERNO_POLICIES) done kyverno-test: $(KYVENOR_CLI) kyverno-copy-policies - $(KYVENOR_CLI) test $(KYVERNO_POLICY_TESTS_DIR) + $(KYVENOR_CLI) test --detailed-results $(KYVERNO_POLICY_TESTS_DIR) encrypt-private-values: $(PRIVATE_CHARTS) @for d in $(dir $^); do \ diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index ccd5f37d..8a74d0e0 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kyverno-policies description: OSC Kyverno policies deployment type: application -version: 0.27.0 +version: 0.28.0 appVersion: "v1.11.4" maintainers: - name: treydock diff --git a/charts/kyverno-policies/templates/add-annotations.yaml b/charts/kyverno-policies/templates/add-annotations.yaml index 8b5cfa40..d6b0ed69 100644 --- a/charts/kyverno-policies/templates/add-annotations.yaml +++ b/charts/kyverno-policies/templates/add-annotations.yaml @@ -24,3 +24,20 @@ spec: metadata: annotations: prometheus.io/scrape: 'false' + - name: paas-cert-manager + match: + any: + - resources: + kinds: + - Ingress + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + mutate: + patchStrategicMerge: + metadata: + annotations: + cert-manager.io/cluster-issuer: "{{ .Values.paas.certManagerClusterIssuer }}" diff --git a/charts/kyverno-policies/templates/add-image-pull-secret.yaml b/charts/kyverno-policies/templates/add-image-pull-secret.yaml new file mode 100644 index 00000000..dbf6b34d --- /dev/null +++ b/charts/kyverno-policies/templates/add-image-pull-secret.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-image-pull-secret +spec: + validationFailureAction: Enforce + background: true + rules: + - name: paas-osc-registry + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + context: + - name: secret + apiCall: + urlPath: "/api/v1/namespaces/{{`{{ request.namespace }}`}}/secrets/osc-registry" + jmesPath: "metadata.name || ''" + preconditions: + - key: "{{`{{ secret || '' }}`}}" + operator: NotEquals + value: "" + mutate: + patchStrategicMerge: + spec: + imagePullSecrets: + - name: "{{`{{ secret }}`}}" diff --git a/charts/kyverno-policies/templates/add-ingress-class-name.yaml b/charts/kyverno-policies/templates/add-ingress-class-name.yaml new file mode 100644 index 00000000..8f646dc1 --- /dev/null +++ b/charts/kyverno-policies/templates/add-ingress-class-name.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-ingress-class-name +spec: + validationFailureAction: Enforce + background: true + rules: + - name: add-ingress-class-name + match: + any: + - resources: + kinds: + - Ingress + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + mutate: + patchStrategicMerge: + spec: + ingressClassName: "{{ .Values.paas.ingressClassName }}" diff --git a/charts/kyverno-policies/templates/add-service-account.yaml b/charts/kyverno-policies/templates/add-service-account.yaml index 75affbd0..369dace3 100644 --- a/charts/kyverno-policies/templates/add-service-account.yaml +++ b/charts/kyverno-policies/templates/add-service-account.yaml @@ -35,41 +35,40 @@ spec: configMap: name: user-gids-map namespace: k8-ldap-configmap - mutate: - patchStrategicMerge: - spec: - securityContext: - runAsUser: "{{`{{ uidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" - runAsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" - fsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" - supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\" | parse_json(@)[*].to_number(@) }}`}}" - - name: webservice-service-account-run-as-containers - match: - any: - - resources: - kinds: - - Pod - namespaceSelector: - matchExpressions: - - key: osc.edu/role - operator: In - values: - - webservice - preconditions: - - key: "{{`{{ request.object.metadata.labels.\"osc.edu/service-account\" || '' }}`}}" - operator: NotEquals - value: "" - context: - - name: uidMap - configMap: - name: user-uid-map - namespace: k8-ldap-configmap - - name: gidMap - configMap: - name: user-gid-map - namespace: k8-ldap-configmap mutate: foreach: + - list: "request.object.spec" + patchStrategicMerge: + spec: + securityContext: + runAsNonRoot: true + runAsUser: "{{`{{ uidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" + runAsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" + fsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" + supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\" | parse_json(@)[*].to_number(@) }}`}}" + - list: "request.object.spec.[containers, initContainers][]" + patchStrategicMerge: + spec: + containers: + - (name): "*" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false + initContainers: + - (name): "*" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false - list: "request.object.spec.[containers, initContainers][]" patchStrategicMerge: spec: @@ -135,10 +134,34 @@ spec: patchStrategicMerge: spec: securityContext: + runAsNonRoot: true runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\".to_number(@) }}`}}" runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\".to_number(@) }}`}}" fsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\".to_number(@) }}`}}" supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ serviceAccount }}\" | parse_json(@)[*].to_number(@) }}`}}" + - list: "request.object.spec.[containers, initContainers][]" + patchStrategicMerge: + spec: + containers: + - (name): "*" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false + initContainers: + - (name): "*" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false - list: "request.object.spec.[containers, initContainers][]" patchStrategicMerge: spec: diff --git a/charts/kyverno-policies/templates/ingress-allowed-dns.yaml b/charts/kyverno-policies/templates/ingress-allowed-dns.yaml new file mode 100644 index 00000000..0a349d4d --- /dev/null +++ b/charts/kyverno-policies/templates/ingress-allowed-dns.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-allowed-dns +spec: + background: true + validationFailureAction: Enforce + rules: + - name: allowed-dns + match: + any: + - resources: + kinds: + - Ingress + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + context: + - name: allowed + apiCall: + urlPath: "/api/v1/namespaces/{{`{{ request.namespace }}`}}" + jmesPath: "metadata.annotations.\"osc.edu/allowed-dns\" || ''" + validate: + message: "DNS host requested is not allowed" + foreach: + - list: request.object.spec.rules + deny: + conditions: + all: + - key: "{{`{{ element.host }}`}}" + operator: Equals + value: "*.osc.edu" + - key: "{{`{{ element.host }}`}}" + operator: NotIn + value: "{{`{{ allowed | split(@, ',') }}`}}" diff --git a/charts/kyverno-policies/templates/ingress-annotations.yaml b/charts/kyverno-policies/templates/ingress-annotations.yaml new file mode 100644 index 00000000..d6fd5be1 --- /dev/null +++ b/charts/kyverno-policies/templates/ingress-annotations.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-annotations +spec: + background: true + validationFailureAction: Enforce + rules: + - name: deny-external-dns-annotations + match: + any: + - resources: + kinds: + - Ingress + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + validate: + message: "External DNS annotations are now allowed" + pattern: + metadata: + =(annotations): + X(external-dns.alpha.kubernetes.io/*): "*?" diff --git a/charts/kyverno-policies/templates/namespace-account.yaml b/charts/kyverno-policies/templates/namespace-account.yaml index 6c651bbf..8fe50215 100644 --- a/charts/kyverno-policies/templates/namespace-account.yaml +++ b/charts/kyverno-policies/templates/namespace-account.yaml @@ -21,3 +21,34 @@ spec: metadata: labels: account: "?*" + - name: valid-account + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + {{ include "osc.common.roleKey" . }}: paas + preconditions: + - key: "{{`{{ request.operation }}`}}" + operator: In + value: ["CREATE","UPDATE"] + - key: "{{`{{ request.object.metadata.labels.account || '' }}`}}" + operator: NotEquals + value: "" + - key: "{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" || '' {{`}}`}}" + operator: NotEquals + value: "" + context: + - name: userGroupMap + configMap: + name: user-groups-map + namespace: k8-ldap-configmap + validate: + message: "{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}} not authorized to charge against account {{`{{ request.object.metadata.labels.account }}`}}" + deny: + conditions: + - key: "{{`{{ request.object.metadata.labels.account }}`}}" + operator: NotIn + value: "{{`{{`}} userGroupMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" diff --git a/charts/kyverno-policies/templates/no-loadbalancers.yaml b/charts/kyverno-policies/templates/no-loadbalancers.yaml deleted file mode 100644 index 3a878408..00000000 --- a/charts/kyverno-policies/templates/no-loadbalancers.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# https://github.com/kyverno/policies/blob/main/other/restrict_loadbalancer.yaml -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-loadbalancers -spec: - background: true - validationFailureAction: Enforce - rules: - - name: no-loadbalancers - match: - any: - - resources: - kinds: - - Service - exclude: - any: - - resources: - namespaces: - - ingress-nginx - validate: - message: "Service of type LoadBalancer is not allowed." - pattern: - spec: - type: "!LoadBalancer" diff --git a/charts/kyverno-policies/templates/pod-host-port.yaml b/charts/kyverno-policies/templates/pod-host-port.yaml new file mode 100644 index 00000000..d4b0d801 --- /dev/null +++ b/charts/kyverno-policies/templates/pod-host-port.yaml @@ -0,0 +1,39 @@ +# REF: https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-host-port +spec: + background: true + validationFailureAction: Enforce + rules: + - name: no-host-port + match: + any: + - resources: + kinds: + - Pod + namespaces: + - "user-?*" + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + validate: + message: "Pod hostPort is not allowed" + pattern: + spec: + =(ephemeralContainers): + - =(ports): + - =(hostPort): 0 + =(initContainers): + - =(ports): + - =(hostPort): 0 + containers: + - =(ports): + - =(hostPort): 0 diff --git a/charts/kyverno-policies/templates/pod-service-account-validation.yaml b/charts/kyverno-policies/templates/pod-service-account-validation.yaml index 7fffffdc..7396a0de 100644 --- a/charts/kyverno-policies/templates/pod-service-account-validation.yaml +++ b/charts/kyverno-policies/templates/pod-service-account-validation.yaml @@ -55,9 +55,10 @@ spec: validate: message: >- Invalid service account UID or GID specified - anyPattern: - - spec: + pattern: + spec: securityContext: + runAsNonRoot: "true" runAsUser: "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" runAsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" fsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" @@ -69,15 +70,6 @@ spec: - =(securityContext): =(runAsUser): "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" =(runAsGroup): "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" - - spec: - =(initContainers): - - securityContext: - runAsUser: "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" - runAsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" - containers: - - securityContext: - runAsUser: "{{`{{`}} uidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" - runAsGroup: "{{`{{`}} gidMap.data.\"user-{{`{{`}} request.object.metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" {{`}}`}}\" {{`}}`}}" - name: webservice-service-account-authorized-for-groups match: any: @@ -147,9 +139,10 @@ spec: validate: message: >- Invalid service account UID or GID specified - anyPattern: - - spec: + pattern: + spec: securityContext: + runAsNonRoot: "true" runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}" runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}" fsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}" @@ -161,15 +154,6 @@ spec: - =(securityContext): =(runAsUser): "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}" =(runAsGroup): "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}" - - spec: - =(initContainers): - - securityContext: - runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}" - runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}" - containers: - - securityContext: - runAsUser: "{{`{{ uidMap.data.\"user-{{ serviceAccount }}\" }}`}}" - runAsGroup: "{{`{{ gidMap.data.\"user-{{ serviceAccount }}\" }}`}}" - name: paas-service-account-authorized-for-groups match: any: diff --git a/charts/kyverno-policies/templates/service-types.yaml b/charts/kyverno-policies/templates/service-types.yaml new file mode 100644 index 00000000..b34778f5 --- /dev/null +++ b/charts/kyverno-policies/templates/service-types.yaml @@ -0,0 +1,59 @@ +# https://github.com/kyverno/policies/blob/main/other/restrict_loadbalancer.yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: service-types +spec: + background: true + validationFailureAction: Enforce + rules: + - name: no-load-balancer + match: + any: + - resources: + kinds: + - Service + exclude: + any: + - resources: + namespaces: + - ingress-nginx + validate: + message: "Service of type LoadBalancer is not allowed." + pattern: + spec: + type: "!LoadBalancer" + - name: no-external-name + match: + any: + - resources: + kinds: + - Service + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + validate: + message: "Service of type ExternalName is not allowed." + pattern: + spec: + type: "!ExternalName" + - name: no-node-port + match: + any: + - resources: + kinds: + - Service + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + validate: + message: "Service of type NodePort is not allowed." + pattern: + spec: + type: "!NodePort" diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 0b6a73e2..114ebeaf 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -44,6 +44,8 @@ paas: - quay.io/oauth2-proxy/oauth2-proxy validNodeSelector: - paas + certManagerClusterIssuer: letsencrypt + ingressClassName: nginx validationFailureAction: {} kyverno-policies: # Supported- baseline/restricted/privileged/custom diff --git a/charts/paas/Chart.yaml b/charts/paas/Chart.yaml index f1003b77..31d6c133 100644 --- a/charts/paas/Chart.yaml +++ b/charts/paas/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: paas description: OSC PAAS bootstrap Helm Chart type: application -version: 0.2.1 +version: 0.3.0 appVersion: "0.1.0" maintainers: - name: treydock diff --git a/charts/paas/README.md b/charts/paas/README.md index 9fa71df1..bea74f6e 100644 --- a/charts/paas/README.md +++ b/charts/paas/README.md @@ -1,6 +1,6 @@ # paas -![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) OSC PAAS bootstrap Helm Chart @@ -26,10 +26,16 @@ namespaces: serviceAccount: test-account account: test groups: ['testgroup'] + allowedDNS: + - test.osc.edu + - test.k8.osc.edu - name: foo serviceAccount: foo-account account: foo groups: ['bar'] + allowedDNS: + - foo.osc.edu + - foo.k8.osc.edu cpuLimit: '8' cpuDefault: '1' memoryLimit: '16Gi' @@ -47,6 +53,7 @@ namespaces: | serviceAccount | The user that will run pods | **required** | | account | The charge account for this namespace | **required** | | groups | The groups that can manage the namespace's resources | `[]` | +| allowedDNS | Allowed DNS entries for namespace's Ingress resources | `[]` | | cpuLimit | The max CPU this namespace can consume | `4` | | cpuDefault | The default CPU request for this namespace | `1` | | memoryLimit | The max memory this namespace can consume | `8Gi` | diff --git a/charts/paas/README.md.gotmpl b/charts/paas/README.md.gotmpl index 2ac41f69..98101932 100644 --- a/charts/paas/README.md.gotmpl +++ b/charts/paas/README.md.gotmpl @@ -23,10 +23,16 @@ namespaces: serviceAccount: test-account account: test groups: ['testgroup'] + allowedDNS: + - test.osc.edu + - test.k8.osc.edu - name: foo serviceAccount: foo-account account: foo groups: ['bar'] + allowedDNS: + - foo.osc.edu + - foo.k8.osc.edu cpuLimit: '8' cpuDefault: '1' memoryLimit: '16Gi' @@ -44,6 +50,7 @@ namespaces: | serviceAccount | The user that will run pods | **required** | | account | The charge account for this namespace | **required** | | groups | The groups that can manage the namespace's resources | `[]` | +| allowedDNS | Allowed DNS entries for namespace's Ingress resources | `[]` | | cpuLimit | The max CPU this namespace can consume | `4` | | cpuDefault | The default CPU request for this namespace | `1` | | memoryLimit | The max memory this namespace can consume | `8Gi` | diff --git a/charts/paas/ci/test-values.yaml b/charts/paas/ci/test-values.yaml index addfda0d..0fda5dfc 100644 --- a/charts/paas/ci/test-values.yaml +++ b/charts/paas/ci/test-values.yaml @@ -4,6 +4,9 @@ namespaces: serviceAccount: test-account account: test groups: ['testgroup'] + allowedDNS: + - test.example.com + - test.k8.example.com cpuLimit: '8' cpuDefault: '1' memoryLimit: '16Gi' diff --git a/charts/paas/templates/namespace.yaml b/charts/paas/templates/namespace.yaml index 6fde4d27..7f6c1be2 100644 --- a/charts/paas/templates/namespace.yaml +++ b/charts/paas/templates/namespace.yaml @@ -12,4 +12,7 @@ metadata: account: {{ required "Namespace 'account' is required" $namespace.account }} annotations: {{- include "paas.namespaced.annotations" . | nindent 4 }} + {{- with $namespace.allowedDNS }} + osc.edu/allowed-dns: {{ join "," . | quote }} + {{- end }} {{ end }} diff --git a/tests/kyverno-policies/add-annotations/kyverno-test.yaml b/tests/kyverno-policies/add-annotations/kyverno-test.yaml index d431302c..f12e8278 100644 --- a/tests/kyverno-policies/add-annotations/kyverno-test.yaml +++ b/tests/kyverno-policies/add-annotations/kyverno-test.yaml @@ -27,3 +27,16 @@ results: - test-skip-webservice kind: Pod result: skip + - policy: add-annotations + rule: paas-cert-manager + resources: + - paas/paas-pass + patchedResource: test-paas-ingress-mutated.yaml + kind: Ingress + result: pass + - policy: add-annotations + rule: paas-cert-manager + resources: + - webservice/skip + kind: Ingress + result: skip diff --git a/tests/kyverno-policies/add-annotations/resources.yaml b/tests/kyverno-policies/add-annotations/resources.yaml index f99cc0a1..9eeebd6f 100644 --- a/tests/kyverno-policies/add-annotations/resources.yaml +++ b/tests/kyverno-policies/add-annotations/resources.yaml @@ -43,3 +43,39 @@ spec: containers: - name: nginx image: nginx:latest +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass + namespace: paas +spec: + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: skip + namespace: webservice +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 diff --git a/tests/kyverno-policies/add-annotations/test-paas-ingress-mutated.yaml b/tests/kyverno-policies/add-annotations/test-paas-ingress-mutated.yaml new file mode 100644 index 00000000..6c803f1e --- /dev/null +++ b/tests/kyverno-policies/add-annotations/test-paas-ingress-mutated.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass + namespace: paas + annotations: + cert-manager.io/cluster-issuer: letsencrypt +spec: + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 diff --git a/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml b/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml new file mode 100644 index 00000000..a965b96f --- /dev/null +++ b/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml @@ -0,0 +1,29 @@ +--- +name: add-image-pull-secret +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: add-image-pull-secret + rule: paas-osc-registry + resources: + - test-paas + patchedResource: paas-mutated.yaml + kind: Pod + result: pass + - policy: add-image-pull-secret + rule: paas-osc-registry + resources: + - test-paas-add + patchedResource: paas-add-mutated.yaml + kind: Pod + result: pass + - policy: add-image-pull-secret + rule: paas-osc-registry + resources: + - test-paas-skip + - test-paas-skip-no-secret + kind: Pod + result: skip diff --git a/tests/kyverno-policies/add-image-pull-secret/paas-add-mutated.yaml b/tests/kyverno-policies/add-image-pull-secret/paas-add-mutated.yaml new file mode 100644 index 00000000..f70b9f10 --- /dev/null +++ b/tests/kyverno-policies/add-image-pull-secret/paas-add-mutated.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-add + namespace: paas +spec: + imagePullSecrets: + - name: osc-registry + - name: test + containers: + - name: nginx + image: nginx:latest diff --git a/tests/kyverno-policies/add-image-pull-secret/paas-mutated.yaml b/tests/kyverno-policies/add-image-pull-secret/paas-mutated.yaml new file mode 100644 index 00000000..a4cccb85 --- /dev/null +++ b/tests/kyverno-policies/add-image-pull-secret/paas-mutated.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas + namespace: paas +spec: + imagePullSecrets: + - name: osc-registry + containers: + - name: nginx + image: nginx:latest + initContainers: + - name: init + image: busybox diff --git a/tests/kyverno-policies/add-image-pull-secret/resources.yaml b/tests/kyverno-policies/add-image-pull-secret/resources.yaml new file mode 100644 index 00000000..89841b7e --- /dev/null +++ b/tests/kyverno-policies/add-image-pull-secret/resources.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:latest + initContainers: + - name: init + image: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-add + namespace: paas +spec: + imagePullSecrets: + - name: test + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-skip-no-secret + namespace: paas +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-skip + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/tests/kyverno-policies/add-image-pull-secret/variables.yaml b/tests/kyverno-policies/add-image-pull-secret/variables.yaml new file mode 100644 index 00000000..5e10798f --- /dev/null +++ b/tests/kyverno-policies/add-image-pull-secret/variables.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values +policies: +- name: add-image-pull-secret + resources: + - name: test-paas + values: + secret: osc-registry + - name: test-paas-add + values: + secret: osc-registry + - name: test-paas-skip + values: + secret: osc-registry + - name: test-paas-skip-no-secret +namespaceSelector: + - name: user-test + labels: + foo: bar + - name: paas + labels: + osc.edu/role: paas + osc.edu/service-account: test diff --git a/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml b/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml new file mode 100644 index 00000000..b7ceb7f0 --- /dev/null +++ b/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml @@ -0,0 +1,21 @@ +--- +name: add-ingress-class-name +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: add-ingress-class-name + rule: add-ingress-class-name + resources: + - paas/paas-pass + patchedResource: test-paas-ingress-mutated.yaml + kind: Ingress + result: pass + - policy: add-ingress-class-name + rule: add-ingress-class-name + resources: + - webservice/skip + kind: Ingress + result: skip diff --git a/tests/kyverno-policies/add-ingress-class-name/resources.yaml b/tests/kyverno-policies/add-ingress-class-name/resources.yaml new file mode 100644 index 00000000..a37ecd32 --- /dev/null +++ b/tests/kyverno-policies/add-ingress-class-name/resources.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass + namespace: paas +spec: + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: skip + namespace: webservice +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 diff --git a/tests/kyverno-policies/add-ingress-class-name/test-paas-ingress-mutated.yaml b/tests/kyverno-policies/add-ingress-class-name/test-paas-ingress-mutated.yaml new file mode 100644 index 00000000..a2768d47 --- /dev/null +++ b/tests/kyverno-policies/add-ingress-class-name/test-paas-ingress-mutated.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass + namespace: paas +spec: + ingressClassName: nginx + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 diff --git a/tests/kyverno-policies/add-ingress-class-name/variables.yaml b/tests/kyverno-policies/add-ingress-class-name/variables.yaml new file mode 100644 index 00000000..70f6e450 --- /dev/null +++ b/tests/kyverno-policies/add-ingress-class-name/variables.yaml @@ -0,0 +1,9 @@ +namespaceSelector: + - name: webservice + labels: + osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas + osc.edu/service-account: test + account: test diff --git a/tests/kyverno-policies/add-service-account/kyverno-test.yaml b/tests/kyverno-policies/add-service-account/kyverno-test.yaml index 3c1f979c..1513b438 100644 --- a/tests/kyverno-policies/add-service-account/kyverno-test.yaml +++ b/tests/kyverno-policies/add-service-account/kyverno-test.yaml @@ -32,19 +32,6 @@ results: - test-webservice-service-account-skip kind: Pod result: skip - - policy: add-service-account - rule: webservice-service-account-run-as-containers - resources: - - test-webservice-service-account-containers - kind: Pod - result: skip - - policy: add-service-account - rule: webservice-service-account-run-as-containers - resources: - - test-webservice-service-account-mariadb-containers - patchedResource: webservice-service-account-mariadb-mutated-containers.yaml - kind: Pod - result: pass - policy: add-service-account rule: paas-service-account-run-as resources: diff --git a/tests/kyverno-policies/add-service-account/paas-service-account-mariadb-mutated.yaml b/tests/kyverno-policies/add-service-account/paas-service-account-mariadb-mutated.yaml index ccfbc8bc..0fe7ef69 100644 --- a/tests/kyverno-policies/add-service-account/paas-service-account-mariadb-mutated.yaml +++ b/tests/kyverno-policies/add-service-account/paas-service-account-mariadb-mutated.yaml @@ -11,14 +11,29 @@ spec: - name: mariadb image: mariadb:latest securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false runAsUser: 1000 runAsGroup: 1001 initContainers: - name: init image: busybox securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false runAsUser: 1000 securityContext: + runAsNonRoot: true runAsUser: 1000 runAsGroup: 1001 fsGroup: 1001 diff --git a/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml b/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml index 9852d230..fa5f4150 100644 --- a/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml +++ b/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml @@ -8,10 +8,27 @@ spec: containers: - name: nginx image: nginx:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false initContainers: - name: init image: busybox + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false securityContext: + runAsNonRoot: true runAsUser: 1000 runAsGroup: 1001 fsGroup: 1001 diff --git a/tests/kyverno-policies/add-service-account/resources.yaml b/tests/kyverno-policies/add-service-account/resources.yaml index e94dd41e..c33dfdd2 100644 --- a/tests/kyverno-policies/add-service-account/resources.yaml +++ b/tests/kyverno-policies/add-service-account/resources.yaml @@ -26,21 +26,6 @@ spec: --- apiVersion: v1 kind: Pod -metadata: - name: test-webservice-service-account-containers - namespace: webservice - labels: - osc.edu/service-account: test -spec: - containers: - - name: nginx - image: nginx:latest - initContainers: - - name: init - image: busybox ---- -apiVersion: v1 -kind: Pod metadata: name: test-webservice-service-account-skip namespace: user-test @@ -72,27 +57,6 @@ spec: --- apiVersion: v1 kind: Pod -metadata: - name: test-webservice-service-account-mariadb-containers - namespace: webservice - labels: - app.kubernetes.io/name: mariadb - osc.edu/service-account: test -spec: - containers: - - name: mariadb - image: mariadb:latest - securityContext: - runAsUser: 1001 - runAsGroup: 0 - initContainers: - - name: init - image: busybox - securityContext: - runAsUser: 65534 ---- -apiVersion: v1 -kind: Pod metadata: name: test-paas-no-service-account-skip namespace: paas-invalid diff --git a/tests/kyverno-policies/add-service-account/variables.yaml b/tests/kyverno-policies/add-service-account/variables.yaml index c5e5d261..0a3c3e96 100644 --- a/tests/kyverno-policies/add-service-account/variables.yaml +++ b/tests/kyverno-policies/add-service-account/variables.yaml @@ -6,21 +6,12 @@ policies: uidMap.data.user-test: '1000' gidMap.data.user-test: '1001' gidsMap.data.user-test: '["1001","1002"]' - - name: webservice-service-account-run-as-containers - values: - uidMap.data.user-test: '1000' - gidMap.data.user-test: '1001' - name: paas-service-account-run-as values: serviceAccount: test uidMap.data.user-test: '1000' gidMap.data.user-test: '1001' gidsMap.data.user-test: '["1001","1002"]' - - name: paas-service-account-run-as-containers - values: - serviceAccount: test - uidMap.data.user-test: '1000' - gidMap.data.user-test: '1001' namespaceSelector: - name: user-test labels: diff --git a/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated-containers.yaml b/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated-containers.yaml deleted file mode 100644 index af0a12d0..00000000 --- a/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated-containers.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-webservice-service-account-mariadb-containers - namespace: webservice - labels: - app.kubernetes.io/name: mariadb - osc.edu/service-account: test -spec: - containers: - - name: mariadb - image: mariadb:latest - securityContext: - runAsUser: 1000 - runAsGroup: 1001 - initContainers: - - name: init - image: busybox - securityContext: - runAsUser: 1000 - securityContext: - runAsUser: 1000 - runAsGroup: 1001 - fsGroup: 1001 - supplementalGroups: - - 1001 - - 1002 diff --git a/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated.yaml b/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated.yaml index 34035604..58ebf7d3 100644 --- a/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated.yaml +++ b/tests/kyverno-policies/add-service-account/webservice-service-account-mariadb-mutated.yaml @@ -12,14 +12,29 @@ spec: - name: mariadb image: mariadb:latest securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false runAsUser: 1000 runAsGroup: 1001 initContainers: - name: init image: busybox securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false runAsUser: 1000 securityContext: + runAsNonRoot: true runAsUser: 1000 runAsGroup: 1001 fsGroup: 1001 diff --git a/tests/kyverno-policies/add-service-account/webservice-service-account-mutated.yaml b/tests/kyverno-policies/add-service-account/webservice-service-account-mutated.yaml index 16da07ce..e59f8380 100644 --- a/tests/kyverno-policies/add-service-account/webservice-service-account-mutated.yaml +++ b/tests/kyverno-policies/add-service-account/webservice-service-account-mutated.yaml @@ -10,10 +10,27 @@ spec: containers: - name: nginx image: nginx:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false initContainers: - name: init image: busybox + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + privileged: false securityContext: + runAsNonRoot: true runAsUser: 1000 runAsGroup: 1001 fsGroup: 1001 diff --git a/tests/kyverno-policies/ingress-allowed-dns/kyverno-test.yaml b/tests/kyverno-policies/ingress-allowed-dns/kyverno-test.yaml new file mode 100644 index 00000000..65c02fc7 --- /dev/null +++ b/tests/kyverno-policies/ingress-allowed-dns/kyverno-test.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ingress-allowed-dns +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: ingress-allowed-dns + rule: allowed-dns + resources: + - paas-pass + - paas-pass-external + kind: Ingress + result: pass + - policy: ingress-allowed-dns + rule: allowed-dns + resources: + - skip + kind: Ingress + result: skip + - policy: ingress-allowed-dns + rule: allowed-dns + resources: + - paas-fail + - paas-fail-dne + kind: Ingress + result: fail diff --git a/tests/kyverno-policies/ingress-allowed-dns/resources.yaml b/tests/kyverno-policies/ingress-allowed-dns/resources.yaml new file mode 100644 index 00000000..ee0d16af --- /dev/null +++ b/tests/kyverno-policies/ingress-allowed-dns/resources.yaml @@ -0,0 +1,90 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass + namespace: paas +spec: + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass-external + namespace: paas +spec: + rules: + - host: web.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-fail + namespace: paas +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-fail-dne + namespace: paas +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: skip + namespace: webservice +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 diff --git a/tests/kyverno-policies/ingress-allowed-dns/variables.yaml b/tests/kyverno-policies/ingress-allowed-dns/variables.yaml new file mode 100644 index 00000000..5babaa5e --- /dev/null +++ b/tests/kyverno-policies/ingress-allowed-dns/variables.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values +policies: +- name: ingress-allowed-dns + resources: + - name: paas-pass + values: + allowed: 'web.osc.edu,bar.osc.edu' + - name: paas-pass-external + values: + allowed: 'web.osc.edu,bar.osc.edu' + - name: paas-fail + values: + allowed: 'web.osc.edu' + - name: paas-fail-dne + values: + allowed: '' + - name: skip +namespaceSelector: + - name: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/ingress-annotations/kyverno-test.yaml b/tests/kyverno-policies/ingress-annotations/kyverno-test.yaml new file mode 100644 index 00000000..dddb7bdd --- /dev/null +++ b/tests/kyverno-policies/ingress-annotations/kyverno-test.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ingress-annotations +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: ingress-annotations + rule: deny-external-dns-annotations + resources: + - paas/paas-pass + - paas/paas-pass-empty + kind: Ingress + result: pass + - policy: ingress-annotations + rule: deny-external-dns-annotations + resources: + - paas/paas-fail + kind: Ingress + result: fail + - policy: ingress-annotations + rule: deny-external-dns-annotations + resources: + - webservice/skip + kind: Ingress + result: skip diff --git a/tests/kyverno-policies/ingress-annotations/resources.yaml b/tests/kyverno-policies/ingress-annotations/resources.yaml new file mode 100644 index 00000000..667905c7 --- /dev/null +++ b/tests/kyverno-policies/ingress-annotations/resources.yaml @@ -0,0 +1,75 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass + namespace: paas + annotations: + nginx.ingress.kubernetes.io/server-alias: foo.osc.edu +spec: + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-pass-empty + namespace: paas +spec: + rules: + - host: web.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paas-fail + namespace: paas + annotations: + external-dns.alpha.kubernetes.io/hostname: foo.osc.edu +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: skip + namespace: webservice +spec: + rules: + - host: foo.osc.edu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 80 diff --git a/tests/kyverno-policies/ingress-annotations/variables.yaml b/tests/kyverno-policies/ingress-annotations/variables.yaml new file mode 100644 index 00000000..bab6c580 --- /dev/null +++ b/tests/kyverno-policies/ingress-annotations/variables.yaml @@ -0,0 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values +policies: +- name: ingress-annotations + resources: + - name: paas-pass + - name: paas-fail + - name: skip +namespaceSelector: + - name: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/namespace-account/kyverno-test.yaml b/tests/kyverno-policies/namespace-account/kyverno-test.yaml index 1a3c2475..9fe4bd74 100644 --- a/tests/kyverno-policies/namespace-account/kyverno-test.yaml +++ b/tests/kyverno-policies/namespace-account/kyverno-test.yaml @@ -4,6 +4,7 @@ policies: - policy.yaml resources: - resources.yaml +variables: variables.yaml results: - policy: namespace-account rule: require-account @@ -23,3 +24,22 @@ results: - test-fail kind: Namespace result: fail + - policy: namespace-account + rule: valid-account + resources: + - user-test + - test-skip-op + kind: Namespace + result: skip + - policy: namespace-account + rule: valid-account + resources: + - test-pass + kind: Namespace + result: pass + - policy: namespace-account + rule: valid-account + resources: + - test-fail-account + kind: Namespace + result: fail \ No newline at end of file diff --git a/tests/kyverno-policies/namespace-account/resources.yaml b/tests/kyverno-policies/namespace-account/resources.yaml index 8818a7a1..8748c599 100644 --- a/tests/kyverno-policies/namespace-account/resources.yaml +++ b/tests/kyverno-policies/namespace-account/resources.yaml @@ -8,10 +8,19 @@ metadata: --- apiVersion: v1 kind: Namespace +metadata: + name: test-skip-op + labels: + osc.edu/role: paas + account: test +--- +apiVersion: v1 +kind: Namespace metadata: name: test-pass labels: osc.edu/role: paas + osc.edu/service-account: test account: test --- apiVersion: v1 @@ -20,3 +29,12 @@ metadata: name: test-fail labels: osc.edu/role: paas +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-fail-account + labels: + osc.edu/role: paas + osc.edu/service-account: test + account: foo diff --git a/tests/kyverno-policies/namespace-account/variables.yaml b/tests/kyverno-policies/namespace-account/variables.yaml new file mode 100644 index 00000000..efc7f30d --- /dev/null +++ b/tests/kyverno-policies/namespace-account/variables.yaml @@ -0,0 +1,19 @@ +policies: + - name: namespace-account + rules: + - name: valid-account + values: + userGroupMap.data.user-test: '["test"]' + resources: + - name: user-test + values: + request.operation: CREATE + - name: test-skip-op + values: + request.operation: DELETE + - name: test-pass + values: + request.operation: CREATE + - name: test-fail-account + values: + request.operation: CREATE diff --git a/tests/kyverno-policies/no-loadbalancers/kyverno-test.yaml b/tests/kyverno-policies/no-loadbalancers/kyverno-test.yaml deleted file mode 100644 index 06fcbd25..00000000 --- a/tests/kyverno-policies/no-loadbalancers/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -name: no-loadbalancers -policies: - - policy.yaml -resources: - - resources.yaml -results: - - policy: no-loadbalancers - rule: no-loadbalancers - resources: - - test-skip - kind: Service - namespace: ingress-nginx - result: skip - - policy: no-loadbalancers - rule: no-loadbalancers - resources: - - test-pass - kind: Service - namespace: test - result: pass - - policy: no-loadbalancers - rule: no-loadbalancers - resources: - - test-fail - kind: Service - namespace: test - result: fail diff --git a/tests/kyverno-policies/no-loadbalancers/resources.yaml b/tests/kyverno-policies/no-loadbalancers/resources.yaml deleted file mode 100644 index 5f32443a..00000000 --- a/tests/kyverno-policies/no-loadbalancers/resources.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: web - name: test-skip - namespace: ingress-nginx -spec: - ports: - - name: http-port - port: 80 - protocol: TCP - targetPort: http-port - selector: - app: web - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: web - name: test-pass - namespace: test -spec: - ports: - - name: http-port - port: 80 - protocol: TCP - targetPort: http-port - selector: - app: web - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: web - name: test-fail - namespace: test -spec: - ports: - - name: http-port - port: 80 - protocol: TCP - targetPort: http-port - selector: - app: web - type: LoadBalancer diff --git a/tests/kyverno-policies/pod-host-port/kyverno-test.yaml b/tests/kyverno-policies/pod-host-port/kyverno-test.yaml new file mode 100644 index 00000000..3a86e5ef --- /dev/null +++ b/tests/kyverno-policies/pod-host-port/kyverno-test.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-host-port +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: pod-host-port + rule: no-host-port + resources: + - webservice-skip + kind: Pod + result: skip + - policy: pod-host-port + rule: no-host-port + resources: + - paas-pass + - user-pass + kind: Pod + result: pass + - policy: pod-host-port + rule: no-host-port + resources: + - paas-fail + - paas-init-fail + - paas-ephemeral-fail + - user-fail + - user-init-fail + - user-ephemeral-fail + kind: Pod + result: fail diff --git a/tests/kyverno-policies/pod-host-port/resources.yaml b/tests/kyverno-policies/pod-host-port/resources.yaml new file mode 100644 index 00000000..74d816f5 --- /dev/null +++ b/tests/kyverno-policies/pod-host-port/resources.yaml @@ -0,0 +1,115 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webservice-skip + namespace: webservice +spec: + containers: + - name: nginx + image: nginx:1.12 + ports: + hostPort: 123 +--- +apiVersion: v1 +kind: Pod +metadata: + name: paas-pass + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: user-pass + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: paas-fail + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + ports: + hostPort: 123 +--- +apiVersion: v1 +kind: Pod +metadata: + name: paas-init-fail + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + initContainers: + - name: init + image: foo:123 + ports: + hostPort: 123 +--- +apiVersion: v1 +kind: Pod +metadata: + name: paas-ephemeral-fail + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + ephemeralContainers: + - name: init + image: foo:123 + ports: + hostPort: 123 +--- +apiVersion: v1 +kind: Pod +metadata: + name: user-fail + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 + ports: + hostPort: 123 +--- +apiVersion: v1 +kind: Pod +metadata: + name: user-init-fail + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 + initContainers: + - name: init + image: foo:123 + ports: + hostPort: 123 +--- +apiVersion: v1 +kind: Pod +metadata: + name: user-ephemeral-fail + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 + ephemeralContainers: + - name: init + image: foo:123 + ports: + hostPort: 123 diff --git a/tests/kyverno-policies/pod-host-port/variables.yaml b/tests/kyverno-policies/pod-host-port/variables.yaml new file mode 100644 index 00000000..c2521ba8 --- /dev/null +++ b/tests/kyverno-policies/pod-host-port/variables.yaml @@ -0,0 +1,12 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values +namespaceSelector: + - name: user-test + - name: webservice + labels: + osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml index a120bb30..17204a8e 100644 --- a/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml @@ -53,6 +53,7 @@ results: - policy: pod-service-account-validation rule: webservice-require-valid-service-account resources: + - pods-require-valid-service-account-runasnonroot-fail - pods-require-valid-service-account-uid-fail - pods-require-valid-service-account-uid-container-fail - pods-require-valid-service-account-uid-init-fail @@ -119,6 +120,7 @@ results: - policy: pod-service-account-validation rule: paas-require-valid-service-account resources: + - paas-pods-require-valid-service-account-runasnonroot-fail - paas-pods-require-valid-service-account-uid-fail - paas-pods-require-valid-service-account-uid-container-fail - paas-pods-require-valid-service-account-uid-init-fail diff --git a/tests/kyverno-policies/pod-service-account-validation/resources.yaml b/tests/kyverno-policies/pod-service-account-validation/resources.yaml index fe68ea8d..2940730a 100644 --- a/tests/kyverno-policies/pod-service-account-validation/resources.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/resources.yaml @@ -88,7 +88,11 @@ metadata: osc.edu/service-account: test spec: securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 supplementalGroups: [] + runAsNonRoot: true containers: - name: nginx image: nginx:1.12 @@ -105,7 +109,11 @@ metadata: osc.edu/service-account: test spec: securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 supplementalGroups: [] + runAsNonRoot: true containers: - name: nginx image: nginx:1.12 @@ -121,6 +129,23 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: pods-require-valid-service-account-runasnonroot-fail + namespace: webservice + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod metadata: name: pods-require-valid-service-account-uid-fail namespace: webservice @@ -362,7 +387,11 @@ metadata: namespace: paas spec: securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 supplementalGroups: [] + runAsNonRoot: true containers: - name: nginx image: nginx:1.12 @@ -377,7 +406,11 @@ metadata: namespace: paas spec: securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 supplementalGroups: [] + runAsNonRoot: true containers: - name: nginx image: nginx:1.12 @@ -393,6 +426,21 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: paas-pods-require-valid-service-account-runasnonroot-fail + namespace: paas +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod metadata: name: paas-pods-require-valid-service-account-uid-fail namespace: paas diff --git a/tests/kyverno-policies/service-types/kyverno-test.yaml b/tests/kyverno-policies/service-types/kyverno-test.yaml new file mode 100644 index 00000000..7a126c87 --- /dev/null +++ b/tests/kyverno-policies/service-types/kyverno-test.yaml @@ -0,0 +1,65 @@ +--- +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: service-types +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: service-types + rule: no-load-balancer + resources: + - ingress-nginx/load-balancer-skip + kind: Service + result: skip + - policy: service-types + rule: no-load-balancer + resources: + - test/load-balancer-pass + kind: Service + result: pass + - policy: service-types + rule: no-load-balancer + resources: + - test/load-balancer-fail + kind: Service + result: fail + - policy: service-types + rule: no-external-name + resources: + - webservice/external-name-skip + kind: Service + result: skip + - policy: service-types + rule: no-external-name + resources: + - paas/external-name-pass + kind: Service + result: pass + - policy: service-types + rule: no-external-name + resources: + - paas/external-name-fail + kind: Service + result: fail + - policy: service-types + rule: no-node-port + resources: + - webservice/node-port-skip + kind: Service + result: skip + - policy: service-types + rule: no-node-port + resources: + - paas/node-port-pass + kind: Service + result: pass + - policy: service-types + rule: no-node-port + resources: + - paas/node-port-fail + kind: Service + result: fail diff --git a/tests/kyverno-policies/service-types/resources.yaml b/tests/kyverno-policies/service-types/resources.yaml new file mode 100644 index 00000000..421738d5 --- /dev/null +++ b/tests/kyverno-policies/service-types/resources.yaml @@ -0,0 +1,134 @@ +apiVersion: v1 +kind: Service +metadata: + name: load-balancer-skip + namespace: ingress-nginx +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: load-balancer-pass + namespace: test +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: load-balancer-fail + namespace: test +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: external-name-skip + namespace: webservice +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: ExternalName +--- +apiVersion: v1 +kind: Service +metadata: + name: external-name-pass + namespace: paas +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: external-name-fail + namespace: paas +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: ExternalName +--- +apiVersion: v1 +kind: Service +metadata: + name: node-port-skip + namespace: webservice +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + name: node-port-pass + namespace: paas +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: node-port-fail + namespace: paas +spec: + ports: + - name: http-port + port: 80 + protocol: TCP + targetPort: http-port + selector: + app: web + type: NodePort diff --git a/tests/kyverno-policies/service-types/variables.yaml b/tests/kyverno-policies/service-types/variables.yaml new file mode 100644 index 00000000..190332cd --- /dev/null +++ b/tests/kyverno-policies/service-types/variables.yaml @@ -0,0 +1,11 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values +namespaceSelector: + - name: webservice + labels: + osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas