Skip to content

Commit

Permalink
feat: add chainsaw tests for pod security in exceptions (kyverno#9667)
Browse files Browse the repository at this point in the history
Signed-off-by: Mariam Fahmy <[email protected]>
  • Loading branch information
MariamFahmy98 authored Feb 6, 2024
1 parent ba01f95 commit ace5b59
Show file tree
Hide file tree
Showing 117 changed files with 2,594 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
## Description

This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is `staging-ns` and make use of the HostPath volume.

## Steps

1. - Create a cluster policy
- Assert the policy becomes ready
1. - Create a policy exception for the cluster policy created above.
1. - Try to create a pod named `good-pod-1` in the `default` namespace and doesn't use the HostPath volume, expecting the creation to succeed.
- Try to create a pod named `good-pod-2` in the `staging-ns` namespace that uses the HostPath volume, expecting the creation to succeed.
- Try to create a pod named `bad-pod` in the `default` namespace that makes use of the HostPath volume, expecting the creation to fail.
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: exclude-hostpath-volume
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: ns.yaml
- assert:
file: ns.yaml
- name: step-03
try:
- apply:
file: exception.yaml
- name: step-04
try:
- apply:
file: pod-allowed-1.yaml
- apply:
file: pod-allowed-2.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-rejected.yaml

Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: pod-security-exception
namespace: policy-exception-ns
spec:
exceptions:
- policyName: psa
ruleNames:
- baseline
match:
any:
- resources:
namespaces:
- staging-ns
podSecurity:
- controlName: "HostPath Volumes"
restrictedField: "spec.volumes[*].hostPath"
values:
- "path"
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: policy-exception-ns
---
apiVersion: v1
kind: Namespace
metadata:
name: staging-ns
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: good-pod-1
namespace: default
spec:
containers:
- name: nginx
image: nginx
args:
- sleep
- 1d
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: good-pod-2
namespace: staging-ns
spec:
volumes:
- name: host
hostPath:
path: /var/lib1
containers:
- name: nginx
image: nginx
args:
- sleep
- 1d
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
volumes:
- name: host
hostPath:
path: /var/lib1
containers:
- name: nginx
image: nginx
args:
- sleep
- 1d
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: psa
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: psa
spec:
background: true
validationFailureAction: Enforce
rules:
- name: baseline
match:
any:
- resources:
kinds:
- Pod
validate:
podSecurity:
level: baseline
version: latest
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## Description

This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is `nginx` in the `staging-ns` namespace and sets the `allowPrivilegeEscalation` field.

## Steps

1. - Create a cluster policy
- Assert the policy becomes ready
1. - Create a policy exception for the cluster policy created above.
1. - Try to create a pod named `good-pod-1` with `allowPrivilegeEscalation` set to `false` in the `default` namespace, expecting the creation to succeed.
- Try to create a pod named `good-pod-2` whose image is `nginx` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to succeed.
- Try to create a pod named `bad-pod-1` whose image is `busybox` in the `staging-ns` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail.
- Try to create a pod named `bad-pod-2` whose image is `nginx` in the `default` namespace and the `allowPrivilegeEscalation` is set to `true`, expecting the creation to fail.
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: exclude-privilege-escalation
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: ns.yaml
- assert:
file: ns.yaml
- name: step-03
try:
- apply:
file: exception.yaml
- name: step-04
try:
- apply:
file: pod-allowed-1.yaml
- apply:
file: pod-allowed-2.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-rejected-1.yaml
- apply:
expect:
- check:
($error != null): true
file: pod-rejected-2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
name: pod-security-exception
namespace: policy-exception-ns
spec:
exceptions:
- policyName: psa
ruleNames:
- restricted
match:
any:
- resources:
namespaces:
- staging-ns
podSecurity:
- controlName: "Privilege Escalation"
images:
- nginx
restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation"
values:
- "true"
- controlName: "Privilege Escalation"
images:
- nginx
restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation"
values:
- "true"
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: policy-exception-ns
---
apiVersion: v1
kind: Namespace
metadata:
name: staging-ns
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: v1
kind: Pod
metadata:
name: good-pod-1
namespace: default
spec:
containers:
- name: nginx1
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- name: nginx2
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: v1
kind: Pod
metadata:
name: good-pod-2
namespace: staging-ns
spec:
containers:
- name: nginx1
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
initContainers:
- name: nginx2
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: v1
kind: Pod
metadata:
name: bad-pod-1
namespace: staging-ns
spec:
containers:
- name: busybox1
image: busybox
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
initContainers:
- name: busybox2
image: busybox
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: v1
kind: Pod
metadata:
name: bad-pod-2
namespace: default
spec:
containers:
- name: nginx1
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
initContainers:
- name: nginx2
image: nginx
args:
- sleep
- 1d
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: psa
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
Loading

0 comments on commit ace5b59

Please sign in to comment.