From d4fe5b96aa5f29f6a08957bcf4da6fdb201c2b6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 6 Jan 2025 22:36:17 +0100 Subject: [PATCH] chore: add match conditions with variable chainsaw test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .../match-conditions/chainsaw-test.yaml | 32 +++++++++++++ .../match-conditions/istio-policy.yaml | 14 ++++++ .../authz-server/match-conditions/policy.yaml | 18 +++++++ .../authz-server/match-conditions/shell.yaml | 48 +++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 tests/e2e/authz-server/match-conditions/chainsaw-test.yaml create mode 100644 tests/e2e/authz-server/match-conditions/istio-policy.yaml create mode 100644 tests/e2e/authz-server/match-conditions/policy.yaml create mode 100644 tests/e2e/authz-server/match-conditions/shell.yaml diff --git a/tests/e2e/authz-server/match-conditions/chainsaw-test.yaml b/tests/e2e/authz-server/match-conditions/chainsaw-test.yaml new file mode 100644 index 0000000..bc0026a --- /dev/null +++ b/tests/e2e/authz-server/match-conditions/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deny +spec: + namespace: app + steps: + - try: + - create: + file: ./istio-policy.yaml + - create: + file: ./policy.yaml + - create: + file: ./shell.yaml + - wait: + apiVersion: v1 + kind: Pod + timeout: 1m + for: + condition: + name: Ready + value: 'true' + - script: + content: > + kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true" + check: + ($stdout): |- + Unauthorized Request + http_code=403 + finally: + - sleep: + duration: 10s \ No newline at end of file diff --git a/tests/e2e/authz-server/match-conditions/istio-policy.yaml b/tests/e2e/authz-server/match-conditions/istio-policy.yaml new file mode 100644 index 0000000..e8dadd0 --- /dev/null +++ b/tests/e2e/authz-server/match-conditions/istio-policy.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: policy + namespace: istio-system +spec: + selector: + matchLabels: + ext-authz: enabled + action: CUSTOM + provider: + name: kyverno-authz-server + rules: + - {} diff --git a/tests/e2e/authz-server/match-conditions/policy.yaml b/tests/e2e/authz-server/match-conditions/policy.yaml new file mode 100644 index 0000000..fb8e030 --- /dev/null +++ b/tests/e2e/authz-server/match-conditions/policy.yaml @@ -0,0 +1,18 @@ +# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json +apiVersion: envoy.kyverno.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + name: policy +spec: + variables: + - name: foo + expression: > + true + deny: + - match: > + variables.foo + response: > + envoy + .Denied(403) + .WithBody("Unauthorized Request") + .Response() diff --git a/tests/e2e/authz-server/match-conditions/shell.yaml b/tests/e2e/authz-server/match-conditions/shell.yaml new file mode 100644 index 0000000..febda25 --- /dev/null +++ b/tests/e2e/authz-server/match-conditions/shell.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: curl +--- +apiVersion: v1 +kind: Service +metadata: + name: curl + labels: + app: curl + service: curl +spec: + ports: + - port: 80 + name: http + selector: + app: curl +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: curl +spec: + replicas: 1 + selector: + matchLabels: + app: curl + template: + metadata: + labels: + app: curl + spec: + terminationGracePeriodSeconds: 0 + serviceAccountName: curl + containers: + - name: curl + image: curlimages/curl + command: ["/bin/sleep", "infinity"] + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /etc/curl/tls + name: secret-volume + volumes: + - name: secret-volume + secret: + secretName: curl-secret + optional: true