diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..835b01e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,27 @@ +name: Kyverno CLI Test + +on: + push: + branches: + - 'main' + pull_request: + branches: + - 'main' + +jobs: + cli-test: + strategy: + fail-fast: false + matrix: + n4k-version: [v1.9.0-n4kbuild.3] + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Unshallow + run: git fetch --prune --unshallow + - name: Get kyverno binary + run: | + N4K_BINARY_VERSION=${{ matrix.n4k-version }} make get-kyverno-binary + - name: Run Kyverno CLI tests + run: make run-cli-test diff --git a/Makefile b/Makefile index c91c094..164d63f 100644 --- a/Makefile +++ b/Makefile @@ -157,3 +157,18 @@ verify-helm-docs: codegen-helm-docs ## Check helm docs are up to date @echo Checking helm docs are up to date... >&2 @git --no-pager diff charts @git diff --quiet --exit-code charts + +##################### +# Kyverno CLI TESTS # +##################### + +.PHONY: get-kyverno-binary +get-kyverno-binary: + @echo Download kyverno binary ... >&2 + @curl -LO https://github.com/nirmata/kyverno/releases/download/$(N4K_BINARY_VERSION)/kyverno-cli_$(N4K_BINARY_VERSION)_linux_x86_64.tar.gz + @tar -xvf kyverno-cli_$(N4K_BINARY_VERSION)_linux_x86_64.tar.gz + +.PHONY: run-cli-test +run-cli-test: + @echo wait kyverno pod status installation... >&2 + @./kyverno test . diff --git a/tests/best-practices/badawsacfg.yaml b/tests/best-practices/badawsacfg.yaml new file mode 100644 index 0000000..31e8603 --- /dev/null +++ b/tests/best-practices/badawsacfg.yaml @@ -0,0 +1,29 @@ +apiVersion: security.nirmata.io/v1alpha1 +kind: AWSAdapterConfig +metadata: + name: bad-awsacfg + namespace: default +status: + accountData: + inspectorEnabledEC2: false + inspectorEnabledECR: false + ecrRepositories: + - imageTagMutable: false + repositoryName: repository-name + repositoryUri: repository-uri + eksCluster: + compute: + nodeGroups: + - remoteAccessConfig: + ec2SshKey: my-ssh-key + reservations: + - instances: + - httpPutResponseHopLimit: 2 + publicDnsName: ec2-55-222-222-33.us-west-1.compute.amazonaws.com + logging: + audit: false + networking: + vpc: + endpointPublicAccess: true + flowLogsEnabled: false + roleArn: arn:aws:iam::844333597536:role/some-different-eks-role diff --git a/tests/best-practices/goodawsacfg.yaml b/tests/best-practices/goodawsacfg.yaml new file mode 100644 index 0000000..1ea004d --- /dev/null +++ b/tests/best-practices/goodawsacfg.yaml @@ -0,0 +1,95 @@ +apiVersion: security.nirmata.io/v1alpha1 +kind: AWSAdapterConfig +metadata: + labels: + app.kubernetes.io/name: awsadapterconfig + app.kubernetes.io/instance: awsacfg-sample + app.kubernetes.io/part-of: kyverno-aws-adapter + app.kubernetes.io/created-by: kyverno-aws-adapter + name: good-awsacfg + namespace: default +spec: + name: test + region: us-west-1 +status: + accountData: + id: "844333597536" + inspectorEnabledEC2: true + inspectorEnabledECR: true + ecrRepositories: + - imageTagMutable: true + repositoryName: repository-name + repositoryUri: repository-uri + eksCluster: + addons: + - coredns + - kube-proxy + - vpc-cni + arn: arn:aws:eks:us-west-1:844333597536:cluster/aws-adapter + certificate: CertificateAuthorityData0== + compute: + nodeGroups: + - amiReleaseVersion: 1.24.10-20230217 + amiType: AL2_x86_64 + capacityType: ON_DEMAND + createdAt: 2023-03-07 05:25:07.757 +0000 UTC + diskSize: 6 + instanceTypes: + - t3.micro + name: aws-adapter-node-group + nodeGroupArn: arn:aws:eks:us-west-1:844333597536:nodegroup/aws-adapter/aws-adapter-node-group/c0c35d43-e41b-63e0-d795-2b62e5f68c45 + nodeRole: arn:aws:iam::844333597536:role/some-worker-node-policy + resources: + autoScalingGroups: + - eks-aws-adapter-node-group-c0c33333-e41b-63e0-d795-2b62e5f68c45 + scalingConfig: + desiredSize: 2 + maxSize: 2 + minSize: 2 + status: ACTIVE + subnets: + - subnet-24778d33 + - subnet-3ee0f555 + updateConfig: + maxUnavailable: 1 + reservations: + - instances: + - httpPutResponseHopLimit: 1 + createdAt: 2023-03-07 05:06:08.439 +0000 UTC + encryptionConfig: + - keyArn: arn:aws:kms:us-west-1:844333597536:key/abcd1234-5678-90ab-cdef-0123456789ab + resources: + - secrets + endpoint: https://99C71FD57BFEA9CC8EB2E3.gr7.us-west-1.eks.amazonaws.com + kubernetesVersion: "1.24" + logging: + apiServer: false + audit: true + authenticator: false + controllerManager: false + scheduler: false + name: aws-adapter + networking: + ipFamily: ipv4 + serviceIPv4CIDR: 10.100.0.0/10 + vpc: + clusterSecurityGroupID: sg-060c4c41cb11e5d1a + endpointPublicAccess: false + flowLogsEnabled: true + publicAccessCIDRs: + - 0.0.0.0/0 + subnetIDs: + - subnet-24778d33 + - subnet-3ee0f655 + vpcID: vpc-1ef6fd78 + platformVersion: eks.4 + region: us-west-1 + roleArn: arn:aws:iam::844333597536:role/standard-eks-role + status: ACTIVE + tags: + alpha.eksctl.io/cluster-oidc-enabled: "true" + department: some-department + lastPollInfo: + status: success + timestamp: "2023-03-07T16:13:33Z" + lastUpdatedTimestamp: "2023-03-07T16:13:33Z" diff --git a/tests/best-practices/kyverno-test.yaml b/tests/best-practices/kyverno-test.yaml new file mode 100644 index 0000000..7fc04b2 --- /dev/null +++ b/tests/best-practices/kyverno-test.yaml @@ -0,0 +1,117 @@ +name: check-amazon-inspector +policies: +- ../../config/samples/policies +resources: +- goodawsacfg.yaml +- badawsacfg.yaml +results: +- policy: check-amazon-inspector + rule: check-amazon-inspector + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-amazon-inspector + rule: check-amazon-inspector + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-cluster-endpoint + rule: check-cluster-endpoint + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-cluster-endpoint + rule: check-cluster-endpoint + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-cluster-logging + rule: check-cluster-audit-logging + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-cluster-logging + rule: check-cluster-audit-logging + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-cluster-remote-access + rule: check-cluster-remote-access + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-cluster-remote-access + rule: check-cluster-remote-access + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-cluster-rolearn + rule: check-cluster-role-arn + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-cluster-rolearn + rule: check-cluster-role-arn + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-cluster-secrets-encryption + rule: check-cluster-secrets-encryption + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-cluster-secrets-encryption + rule: check-cluster-secrets-encryption + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-cluster-tags + rule: check-department-tag + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-cluster-tags + rule: check-department-tag + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-immutable-tags-ecr + rule: check-immutable-tag + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-immutable-tags-ecr + rule: check-immutable-tag + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-instance-profile-access + rule: check-instance-profile-access + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-instance-profile-access + rule: check-instance-profile-access + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-public-dns + rule: check-public-dns + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-public-dns + rule: check-public-dns + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig +- policy: check-vpc-flow-logs + rule: check-vpc-flow-logs + resource: good-awsacfg + result: pass + kind: AWSAdapterConfig +- policy: check-vpc-flow-logs + rule: check-vpc-flow-logs + resource: bad-awsacfg + result: fail + kind: AWSAdapterConfig