forked from kyverno/kyverno
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add chainsaw tests for pod security in exceptions (kyverno#9667)
Signed-off-by: Mariam Fahmy <[email protected]>
- Loading branch information
1 parent
ba01f95
commit ace5b59
Showing
117 changed files
with
2,594 additions
and
0 deletions.
There are no files selected for viewing
12 changes: 12 additions & 0 deletions
12
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
## Description | ||
|
||
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is `staging-ns` and make use of the HostPath volume. | ||
|
||
## Steps | ||
|
||
1. - Create a cluster policy | ||
- Assert the policy becomes ready | ||
1. - Create a policy exception for the cluster policy created above. | ||
1. - Try to create a pod named `good-pod-1` in the `default` namespace and doesn't use the HostPath volume, expecting the creation to succeed. | ||
- Try to create a pod named `good-pod-2` in the `staging-ns` namespace that uses the HostPath volume, expecting the creation to succeed. | ||
- Try to create a pod named `bad-pod` in the `default` namespace that makes use of the HostPath volume, expecting the creation to fail. |
35 changes: 35 additions & 0 deletions
35
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: exclude-hostpath-volume | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: policy.yaml | ||
- assert: | ||
file: policy-assert.yaml | ||
- name: step-02 | ||
try: | ||
- apply: | ||
file: ns.yaml | ||
- assert: | ||
file: ns.yaml | ||
- name: step-03 | ||
try: | ||
- apply: | ||
file: exception.yaml | ||
- name: step-04 | ||
try: | ||
- apply: | ||
file: pod-allowed-1.yaml | ||
- apply: | ||
file: pod-allowed-2.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: pod-rejected.yaml | ||
|
20 changes: 20 additions & 0 deletions
20
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: kyverno.io/v2beta1 | ||
kind: PolicyException | ||
metadata: | ||
name: pod-security-exception | ||
namespace: policy-exception-ns | ||
spec: | ||
exceptions: | ||
- policyName: psa | ||
ruleNames: | ||
- baseline | ||
match: | ||
any: | ||
- resources: | ||
namespaces: | ||
- staging-ns | ||
podSecurity: | ||
- controlName: "HostPath Volumes" | ||
restrictedField: "spec.volumes[*].hostPath" | ||
values: | ||
- "path" |
9 changes: 9 additions & 0 deletions
9
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/ns.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: policy-exception-ns | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: staging-ns |
12 changes: 12 additions & 0 deletions
12
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: good-pod-1 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d |
16 changes: 16 additions & 0 deletions
16
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-allowed-2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: good-pod-2 | ||
namespace: staging-ns | ||
spec: | ||
volumes: | ||
- name: host | ||
hostPath: | ||
path: /var/lib1 | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d |
16 changes: 16 additions & 0 deletions
16
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/pod-rejected.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: bad-pod | ||
namespace: default | ||
spec: | ||
volumes: | ||
- name: host | ||
hostPath: | ||
path: /var/lib1 | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d |
9 changes: 9 additions & 0 deletions
9
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy-assert.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: psa | ||
status: | ||
conditions: | ||
- reason: Succeeded | ||
status: "True" | ||
type: Ready |
18 changes: 18 additions & 0 deletions
18
test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: psa | ||
spec: | ||
background: true | ||
validationFailureAction: Enforce | ||
rules: | ||
- name: baseline | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
podSecurity: | ||
level: baseline | ||
version: latest |
13 changes: 13 additions & 0 deletions
13
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
## Description | ||
|
||
This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `allowPrivilegeEscalation` field. | ||
|
||
## Steps | ||
|
||
1. - Create a cluster policy | ||
- Assert the policy becomes ready | ||
1. - Create a policy exception for the cluster policy created above. | ||
1. - Try to create a pod named `good-pod-1` with `allowPrivilegeEscalation` set to `false` in the `default` namespace, expecting the creation to succeed. | ||
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to succeed. | ||
- Try to create a pod named `bad-pod-1` whose image is `busybox` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail. | ||
- Try to create a pod named `bad-pod-2` whose image is `nginx` in the `default` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail. |
39 changes: 39 additions & 0 deletions
39
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: exclude-privilege-escalation | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: policy.yaml | ||
- assert: | ||
file: policy-assert.yaml | ||
- name: step-02 | ||
try: | ||
- apply: | ||
file: ns.yaml | ||
- assert: | ||
file: ns.yaml | ||
- name: step-03 | ||
try: | ||
- apply: | ||
file: exception.yaml | ||
- name: step-04 | ||
try: | ||
- apply: | ||
file: pod-allowed-1.yaml | ||
- apply: | ||
file: pod-allowed-2.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: pod-rejected-1.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: pod-rejected-2.yaml |
28 changes: 28 additions & 0 deletions
28
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
apiVersion: kyverno.io/v2beta1 | ||
kind: PolicyException | ||
metadata: | ||
name: pod-security-exception | ||
namespace: policy-exception-ns | ||
spec: | ||
exceptions: | ||
- policyName: psa | ||
ruleNames: | ||
- restricted | ||
match: | ||
any: | ||
- resources: | ||
namespaces: | ||
- staging-ns | ||
podSecurity: | ||
- controlName: "Privilege Escalation" | ||
images: | ||
- nginx | ||
restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation" | ||
values: | ||
- "true" | ||
- controlName: "Privilege Escalation" | ||
images: | ||
- nginx | ||
restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation" | ||
values: | ||
- "true" |
9 changes: 9 additions & 0 deletions
9
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/ns.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: policy-exception-ns | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: staging-ns |
34 changes: 34 additions & 0 deletions
34
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: good-pod-1 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: nginx1 | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- ALL | ||
initContainers: | ||
- name: nginx2 | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- ALL |
34 changes: 34 additions & 0 deletions
34
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-allowed-2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: good-pod-2 | ||
namespace: staging-ns | ||
spec: | ||
containers: | ||
- name: nginx1 | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
drop: | ||
- ALL | ||
initContainers: | ||
- name: nginx2 | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
drop: | ||
- ALL |
34 changes: 34 additions & 0 deletions
34
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: bad-pod-1 | ||
namespace: staging-ns | ||
spec: | ||
containers: | ||
- name: busybox1 | ||
image: busybox | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
drop: | ||
- ALL | ||
initContainers: | ||
- name: busybox2 | ||
image: busybox | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
drop: | ||
- ALL |
34 changes: 34 additions & 0 deletions
34
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/pod-rejected-2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: bad-pod-2 | ||
namespace: default | ||
spec: | ||
containers: | ||
- name: nginx1 | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
drop: | ||
- ALL | ||
initContainers: | ||
- name: nginx2 | ||
image: nginx | ||
args: | ||
- sleep | ||
- 1d | ||
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault | ||
runAsNonRoot: true | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
drop: | ||
- ALL |
9 changes: 9 additions & 0 deletions
9
test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy-assert.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: psa | ||
status: | ||
conditions: | ||
- reason: Succeeded | ||
status: "True" | ||
type: Ready |
Oops, something went wrong.