From 059efbefc641875952c2805dbf5c7b0be000670c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:36:00 +0000 Subject: [PATCH 01/32] copy enforce-sidecar-injection-namespace Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 41 +++++++++++++++++++ .../.chainsaw-test/ns-bad-disabled.yaml | 6 +++ .../.chainsaw-test/ns-bad-nolabel.yaml | 4 ++ .../.chainsaw-test/ns-bad-somelabel.yaml | 6 +++ .../.chainsaw-test/ns-good.yaml | 15 +++++++ .../artifacthub-pkg.yml | 22 ++++++++++ .../enforce-sidecar-injection-namespace.yaml | 32 +++++++++++++++ 8 files changed, 132 insertions(+) create mode 100755 istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml create mode 100644 istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml create mode 100644 istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml create mode 100644 istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml create mode 100644 istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml create mode 100644 istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..acc3f29fb --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-sidecar-injection-namespace +status: + ready: true diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..85ad2e8d1 --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,41 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-sidecar-injection-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-sidecar-injection-namespace.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: enforce-sidecar-injection-namespace + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ns-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad-disabled.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad-nolabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad-somelabel.yaml diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml new file mode 100644 index 000000000..0eec7ea44 --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio-injection: disabled + name: bad-istio-sinj01 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml new file mode 100644 index 000000000..4caa0efdb --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-istio-sinj03 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml new file mode 100644 index 000000000..d25585d2a --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: enabled + name: bad-istio-sinj02 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml new file mode 100644 index 000000000..a5f30d2ac --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio-injection: enabled + name: good-istio-sinj01 +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: disabled + istio-injection: enabled + bar: enabled + name: good-istio-sinj02 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml new file mode 100644 index 000000000..ba5c3901c --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: enforce-sidecar-injection-namespace +version: 1.0.0 +displayName: Enforce Istio Sidecar Injection +createdAt: "2023-04-10T20:07:52.000Z" +description: >- + In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Namespace" +digest: bef6a662a8eabeb1e615f5b1bc46200d9212d0f47e62e5705a31242082ccc2ef diff --git a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml new file mode 100644 index 000000000..77c10fc68 --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-sidecar-injection-namespace + annotations: + policies.kyverno.io/title: Enforce Istio Sidecar Injection + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + In order for Istio to inject sidecars to workloads deployed into Namespaces, the label + `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces + set `istio-inject` to `enabled`. +spec: + validationFailureAction: audit + background: true + rules: + - name: check-istio-injection-enabled + match: + any: + - resources: + kinds: + - Namespace + validate: + message: "All new Namespaces must have Istio sidecar injection enabled." + pattern: + metadata: + labels: + istio-injection: enabled From ccb21cff2cb046601d738f99602e098a7ebb6f42 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:37:45 +0000 Subject: [PATCH 02/32] add kyverno tests for enforce-sidecar-injection-namespace Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 28 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 28 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml create mode 100644 istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml diff --git a/istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml b/istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e457fa2b8 --- /dev/null +++ b/istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-sidecar-injection-namespace +policies: +- ../enforce-sidecar-injection-namespace.yaml +resources: +- ../.chainsaw-test/ns-bad-disabled.yaml +- ../.chainsaw-test/ns-bad-nolabel.yaml +- ../.chainsaw-test/ns-bad-somelabel.yaml +- ../.chainsaw-test/ns-good.yaml +results: +- policy: enforce-sidecar-injection-namespace + rule: check-istio-injection-enabled + kind: Namespace + resources: + - bad-istio-sinj01 + - bad-istio-sinj02 + - bad-istio-sinj03 + result: fail +- policy: enforce-sidecar-injection-namespace + rule: check-istio-injection-enabled + kind: Namespace + resources: + - good-istio-sinj01 + - good-istio-sinj02 + result: pass + diff --git a/istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml b/istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e457fa2b8 --- /dev/null +++ b/istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-sidecar-injection-namespace +policies: +- ../enforce-sidecar-injection-namespace.yaml +resources: +- ../.chainsaw-test/ns-bad-disabled.yaml +- ../.chainsaw-test/ns-bad-nolabel.yaml +- ../.chainsaw-test/ns-bad-somelabel.yaml +- ../.chainsaw-test/ns-good.yaml +results: +- policy: enforce-sidecar-injection-namespace + rule: check-istio-injection-enabled + kind: Namespace + resources: + - bad-istio-sinj01 + - bad-istio-sinj02 + - bad-istio-sinj03 + result: fail +- policy: enforce-sidecar-injection-namespace + rule: check-istio-injection-enabled + kind: Namespace + resources: + - good-istio-sinj01 + - good-istio-sinj02 + result: pass + From 150dd035a2f6ef4f28eff7d1d95825fe5e709be7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:38:53 +0000 Subject: [PATCH 03/32] convert enforce-sidecar-injection-namespace Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 16 ++++++++------ .../enforce-sidecar-injection-namespace.yaml | 22 +++++++++---------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml index ba5c3901c..f6a2902b1 100644 --- a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml +++ b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: enforce-sidecar-injection-namespace +name: enforce-sidecar-injection-namespace-cel version: 1.0.0 -displayName: Enforce Istio Sidecar Injection -createdAt: "2023-04-10T20:07:52.000Z" +displayName: Enforce Istio Sidecar Injection in CEL expressions description: >- In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml ``` keywords: - kyverno - Istio + - CEL Expressions readme: | In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Istio in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: bef6a662a8eabeb1e615f5b1bc46200d9212d0f47e62e5705a31242082ccc2ef +digest: 3083420cd7860eadc12dd313a90d20264d211e2bf3c9ade3a74cd9454d88afa9 +createdAt: "2024-05-12T04:38:32Z" + diff --git a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml index 77c10fc68..930f284cd 100644 --- a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml +++ b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml @@ -3,19 +3,19 @@ kind: ClusterPolicy metadata: name: enforce-sidecar-injection-namespace annotations: - policies.kyverno.io/title: Enforce Istio Sidecar Injection - policies.kyverno.io/category: Istio + policies.kyverno.io/title: Enforce Istio Sidecar Injection in CEL expressions + policies.kyverno.io/category: Istio in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Namespace policies.kyverno.io/description: >- In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-istio-injection-enabled @@ -25,8 +25,8 @@ spec: kinds: - Namespace validate: - message: "All new Namespaces must have Istio sidecar injection enabled." - pattern: - metadata: - labels: - istio-injection: enabled + cel: + expressions: + - expression: "has(object.metadata.labels) && 'istio-injection' in object.metadata.labels && object.metadata.labels['istio-injection'] == 'enabled'" + message: "All new Namespaces must have Istio sidecar injection enabled." + From 5be9651d699678b1581d57b533ba254823647ae0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:39:24 +0000 Subject: [PATCH 04/32] copy enforce-strict-mtls Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../chainsaw-step-01-assert-2.yaml | 13 +++++++ .../.chainsaw-test/chainsaw-test.yaml | 33 ++++++++++++++++ .../.chainsaw-test/pa-bad.yaml | 26 +++++++++++++ .../.chainsaw-test/pa-good.yaml | 39 +++++++++++++++++++ .../enforce-strict-mtls/artifacthub-pkg.yml | 22 +++++++++++ .../enforce-strict-mtls.yaml | 35 +++++++++++++++++ 7 files changed, 174 insertions(+) create mode 100755 istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-2.yaml create mode 100755 istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml create mode 100644 istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml create mode 100644 istio-cel/enforce-strict-mtls/artifacthub-pkg.yml create mode 100644 istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..c5f7637cb --- /dev/null +++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-strict-mtls +status: + ready: true diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-2.yaml new file mode 100755 index 000000000..56561a629 --- /dev/null +++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-2.yaml @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: peerauthentications.security.istio.io +spec: {} +status: + acceptedNames: + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + singular: peerauthentication + storedVersions: + - v1beta1 diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..42a348d52 --- /dev/null +++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,33 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-strict-mtls +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-strict-mtls.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: enforce-strict-mtls + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: pa-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pa-bad.yaml diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml new file mode 100644 index 000000000..771d21f3d --- /dev/null +++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml @@ -0,0 +1,26 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: pa-bad01 +spec: + mtls: + mode: PERMISSIVE +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: pa-bad02 +spec: + mtls: + mode: DISABLE +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: pa-bad03 +spec: + selector: + matchLabels: + app: finance + mtls: + mode: DISABLE \ No newline at end of file diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml new file mode 100644 index 000000000..0d2d9d383 --- /dev/null +++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml @@ -0,0 +1,39 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: good-pa01 +spec: + mtls: + mode: STRICT +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: good-pa02 +spec: + mtls: + mode: UNSET +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: good-pa03 +spec: {} +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: good-pa04 +spec: + selector: + matchLabels: + app: finance + mtls: + mode: STRICT +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: good-pa05 +spec: + mtls: {} \ No newline at end of file diff --git a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml new file mode 100644 index 000000000..8206d79c9 --- /dev/null +++ b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: enforce-strict-mtls +version: 1.0.0 +displayName: Enforce Istio Strict mTLS +createdAt: "2023-04-10T20:07:52.000Z" +description: >- + Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-strict-mtls/enforce-strict-mtls.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "PeerAuthentication" +digest: 1e7fbe8c0819be0142c61113b26cbcfe19ec3ca65a9b336165cbe0b1dc1b22b7 diff --git a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml new file mode 100644 index 000000000..2d3dfe81d --- /dev/null +++ b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-strict-mtls + annotations: + policies.kyverno.io/title: Enforce Istio Strict mTLS + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: PeerAuthentication + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which + can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on + the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS + can reduce the security for traffic within that portion of the mesh and should be controlled. + This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring + the `mode` be set to either `UNSET` or `STRICT`. +spec: + validationFailureAction: audit + background: true + rules: + - name: validate-mtls + match: + any: + - resources: + kinds: + - PeerAuthentication + validate: + message: "PeerAuthentication resources may only set UNSET or STRICT for the mode." + pattern: + =(spec): + =(mtls): + =(mode): "UNSET | STRICT" \ No newline at end of file From 7424d9c0d557c5e090a4ef5f5db8e8a07b1cdc27 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:41:13 +0000 Subject: [PATCH 05/32] add kyverno tests for enforce-strict-mtls Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 29 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 29 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml create mode 100644 istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml diff --git a/istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml b/istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..f4018437a --- /dev/null +++ b/istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-strict-mtls +policies: +- ../enforce-strict-mtls.yaml +resources: +- ../.chainsaw-test/pa-bad.yaml +- ../.chainsaw-test/pa-good.yaml +results: +- policy: enforce-strict-mtls + rule: validate-mtls + kind: PeerAuthentication + resources: + - pa-bad01 + - pa-bad02 + - pa-bad03 + result: fail +- policy: enforce-strict-mtls + rule: validate-mtls + kind: PeerAuthentication + resources: + - good-pa01 + - good-pa02 + - good-pa03 + - good-pa04 + - good-pa05 + result: pass + diff --git a/istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml b/istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..f4018437a --- /dev/null +++ b/istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-strict-mtls +policies: +- ../enforce-strict-mtls.yaml +resources: +- ../.chainsaw-test/pa-bad.yaml +- ../.chainsaw-test/pa-good.yaml +results: +- policy: enforce-strict-mtls + rule: validate-mtls + kind: PeerAuthentication + resources: + - pa-bad01 + - pa-bad02 + - pa-bad03 + result: fail +- policy: enforce-strict-mtls + rule: validate-mtls + kind: PeerAuthentication + resources: + - good-pa01 + - good-pa02 + - good-pa03 + - good-pa04 + - good-pa05 + result: pass + From 99772711f74618b4f1e4a4da18b9d6b681641de0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:42:29 +0000 Subject: [PATCH 06/32] convert enforce-strict-mtls Signed-off-by: Chandan-DK --- .../enforce-strict-mtls/artifacthub-pkg.yml | 16 +++++++------ .../enforce-strict-mtls.yaml | 24 ++++++++++--------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml index 8206d79c9..c7026d3d6 100644 --- a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml +++ b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: enforce-strict-mtls +name: enforce-strict-mtls-cel version: 1.0.0 -displayName: Enforce Istio Strict mTLS -createdAt: "2023-04-10T20:07:52.000Z" +displayName: Enforce Istio Strict mTLS in CEL expressions description: >- Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-strict-mtls/enforce-strict-mtls.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml ``` keywords: - kyverno - Istio + - CEL Expressions readme: | Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Istio in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PeerAuthentication" -digest: 1e7fbe8c0819be0142c61113b26cbcfe19ec3ca65a9b336165cbe0b1dc1b22b7 +digest: 26293d242662d9575b51d80c63d8fe3add2a3cd1ce0c4e8f38aae602d8eb7e1a +createdAt: "2024-05-12T04:41:47Z" + diff --git a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml index 2d3dfe81d..057b6e2bc 100644 --- a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml +++ b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml @@ -3,13 +3,13 @@ kind: ClusterPolicy metadata: name: enforce-strict-mtls annotations: - policies.kyverno.io/title: Enforce Istio Strict mTLS - policies.kyverno.io/category: Istio + policies.kyverno.io/title: Enforce Istio Strict mTLS in CEL expressions + policies.kyverno.io/category: Istio in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: PeerAuthentication - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on @@ -18,7 +18,7 @@ metadata: This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-mtls @@ -28,8 +28,10 @@ spec: kinds: - PeerAuthentication validate: - message: "PeerAuthentication resources may only set UNSET or STRICT for the mode." - pattern: - =(spec): - =(mtls): - =(mode): "UNSET | STRICT" \ No newline at end of file + cel: + expressions: + - expression: >- + !has(object.spec) || !has(object.spec.mtls) || !has(object.spec.mtls.mode) || + object.spec.mtls.mode in ['UNSET', 'STRICT'] + message: "PeerAuthentication resources may only set UNSET or STRICT for the mode." + From c5605c1ec356205b7616961de00b946ed80a8428 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:43:04 +0000 Subject: [PATCH 07/32] copy enforce-tls-hosts-host-subnets Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../chainsaw-step-01-assert-2.yaml | 13 +++++ .../.chainsaw-test/chainsaw-test.yaml | 33 ++++++++++++ .../.chainsaw-test/dr-bad.yaml | 21 ++++++++ .../.chainsaw-test/dr-good.yaml | 50 +++++++++++++++++++ .../artifacthub-pkg.yml | 22 ++++++++ .../enforce-tls-hosts-host-subnets.yaml | 34 +++++++++++++ 7 files changed, 179 insertions(+) create mode 100755 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-2.yaml create mode 100755 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml create mode 100644 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml create mode 100644 istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml create mode 100644 istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..a79bc18f7 --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-tls-hosts-host-subnets +status: + ready: true diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-2.yaml new file mode 100755 index 000000000..0e3bbf237 --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-2.yaml @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io +spec: {} +status: + acceptedNames: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + storedVersions: + - v1alpha3 diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5e326306f --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,33 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-tls-hosts-host-subnets +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-tls-hosts-host-subnets.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: enforce-tls-hosts-host-subnets + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: dr-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: dr-bad.yaml diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml new file mode 100644 index 000000000..c81065024 --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: bad-dr01 +spec: + host: ratings.prod.svc.cluster.local + trafficPolicy: + loadBalancer: + simple: LEAST_REQUEST + tls: + mode: DISABLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: bad-dr02 +spec: + host: ratings.prod.svc.cluster.local + trafficPolicy: + tls: + mode: DISABLE \ No newline at end of file diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml new file mode 100644 index 000000000..e664cc11f --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml @@ -0,0 +1,50 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: good-dr01 +spec: + host: ratings.prod.svc.cluster.local + trafficPolicy: + loadBalancer: + simple: LEAST_REQUEST + tls: + mode: MUTUAL +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: good-dr02 +spec: + host: ratings.prod.svc.cluster.local + trafficPolicy: + tls: + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: good-dr03 +spec: + host: ratings.prod.svc.cluster.local + trafficPolicy: + loadBalancer: + simple: LEAST_REQUEST + tls: + mode: ISTIO_MUTUAL +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: good-dr04 +spec: + host: ratings.prod.svc.cluster.local +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: good-dr05 +spec: + host: ratings.prod.svc.cluster.local + trafficPolicy: + loadBalancer: + simple: LEAST_REQUEST \ No newline at end of file diff --git a/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml b/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml new file mode 100644 index 000000000..a29067dea --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: enforce-tls-hosts-host-subnets +version: 1.0.0 +displayName: Enforce Istio TLS on Hosts and Host Subnets +createdAt: "2023-04-10T20:07:52.000Z" +description: >- + Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "DestinationRule" +digest: 4825f2ffc9b90a1ddfc2055dd5afff807725961d52416b3be4276c384f05fc95 diff --git a/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml b/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml new file mode 100644 index 000000000..1e7971bcb --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-tls-hosts-host-subnets + annotations: + policies.kyverno.io/title: Enforce Istio TLS on Hosts and Host Subnets + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: DestinationRule + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + Once a routing decision has been made, a DestinationRule can be used to define how traffic + should be sent to another service. The trafficPolicy object can control how TLS is handled + to the destination host. This policy enforces that the TLS mode cannot be set to a value + of `DISABLE`. +spec: + validationFailureAction: audit + background: true + rules: + - name: destrule + match: + any: + - resources: + kinds: + - DestinationRule + validate: + message: "TLS may not be disabled for the trafficPolicy in any host." + pattern: + =(spec): + =(trafficPolicy): + =(tls): + =(mode): "!DISABLE" \ No newline at end of file From 14fe8c9c9fa4f2619fdb94754c9fbd1f0c3631c2 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:44:17 +0000 Subject: [PATCH 08/32] add kyverno tests for enforce-tls-hosts-host-subnets Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 28 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 28 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml create mode 100644 istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8b2e1cf9b --- /dev/null +++ b/istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-tls-hosts-host-subnets +policies: +- ../enforce-tls-hosts-host-subnets.yaml +resources: +- ../.chainsaw-test/dr-bad.yaml +- ../.chainsaw-test/dr-good.yaml +results: +- policy: enforce-tls-hosts-host-subnets + rule: destrule + kind: DestinationRule + resources: + - bad-dr01 + - bad-dr02 + result: fail +- policy: enforce-tls-hosts-host-subnets + rule: destrule + kind: DestinationRule + resources: + - good-dr01 + - good-dr02 + - good-dr03 + - good-dr04 + - good-dr05 + result: pass + diff --git a/istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml b/istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8b2e1cf9b --- /dev/null +++ b/istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-tls-hosts-host-subnets +policies: +- ../enforce-tls-hosts-host-subnets.yaml +resources: +- ../.chainsaw-test/dr-bad.yaml +- ../.chainsaw-test/dr-good.yaml +results: +- policy: enforce-tls-hosts-host-subnets + rule: destrule + kind: DestinationRule + resources: + - bad-dr01 + - bad-dr02 + result: fail +- policy: enforce-tls-hosts-host-subnets + rule: destrule + kind: DestinationRule + resources: + - good-dr01 + - good-dr02 + - good-dr03 + - good-dr04 + - good-dr05 + result: pass + From f590890f567f3afe0d5adf5834c0f60a1c6d61fa Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:44:52 +0000 Subject: [PATCH 09/32] convert enforce-tls-hosts-host-subnets Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 16 ++++++------ .../enforce-tls-hosts-host-subnets.yaml | 25 ++++++++++--------- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml b/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml index a29067dea..06286c113 100644 --- a/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml +++ b/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: enforce-tls-hosts-host-subnets +name: enforce-tls-hosts-host-subnets-cel version: 1.0.0 -displayName: Enforce Istio TLS on Hosts and Host Subnets -createdAt: "2023-04-10T20:07:52.000Z" +displayName: Enforce Istio TLS on Hosts and Host Subnets in CEL expressions description: >- Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml ``` keywords: - kyverno - Istio + - CEL Expressions readme: | Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Istio in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "DestinationRule" -digest: 4825f2ffc9b90a1ddfc2055dd5afff807725961d52416b3be4276c384f05fc95 +digest: 8959b2a0a57b4a644f5a7fed18d17f3da4e081ab6317a732e1f85b488c65cf18 +createdAt: "2024-05-12T04:44:32Z" + diff --git a/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml b/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml index 1e7971bcb..367a9efc0 100644 --- a/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml +++ b/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml @@ -3,20 +3,20 @@ kind: ClusterPolicy metadata: name: enforce-tls-hosts-host-subnets annotations: - policies.kyverno.io/title: Enforce Istio TLS on Hosts and Host Subnets - policies.kyverno.io/category: Istio + policies.kyverno.io/title: Enforce Istio TLS on Hosts and Host Subnets in CEL expressions + policies.kyverno.io/category: Istio in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: DestinationRule - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: destrule @@ -26,9 +26,10 @@ spec: kinds: - DestinationRule validate: - message: "TLS may not be disabled for the trafficPolicy in any host." - pattern: - =(spec): - =(trafficPolicy): - =(tls): - =(mode): "!DISABLE" \ No newline at end of file + cel: + expressions: + - expression: >- + !has(object.spec) || !has(object.spec.trafficPolicy) || !has(object.spec.trafficPolicy.tls) || + !has(object.spec.trafficPolicy.tls.mode) || object.spec.trafficPolicy.tls.mode != 'DISABLE' + message: "TLS may not be disabled for the trafficPolicy in any host." + From 4b07ffe113f39ac759921e92ab3a14b24dffbddd Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:45:28 +0000 Subject: [PATCH 10/32] copy prevent-disabling-injection-pods Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 ++++++++ .../.chainsaw-test/pod-bad.yaml | 27 ++++++ .../.chainsaw-test/pod-good.yaml | 26 ++++++ .../.chainsaw-test/podcontroller-bad.yaml | 87 +++++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 85 ++++++++++++++++++ .../artifacthub-pkg.yml | 22 +++++ .../prevent-disabling-injection-pods.yaml | 33 +++++++ 8 files changed, 324 insertions(+) create mode 100755 istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml create mode 100644 istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml create mode 100644 istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml create mode 100644 istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml create mode 100644 istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml create mode 100644 istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..4c6866bd0 --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-disabling-injection-pods +status: + ready: true diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..6c32f0cf8 --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-disabling-injection-pods +spec: + steps: + - name: step-01 + try: + - apply: + file: ../prevent-disabling-injection-pods.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: prevent-disabling-injection-pods + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..d68283137 --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + annotations: + app.k8s.io/name: badpod01 + sidecar.istio.io/inject: "false" + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + annotations: + sidecar.istio.io/inject: "false" + app.k8s.io/name: badpod01 + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..de1e03c32 --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + annotations: + app.k8s.io/name: goodpod01 + sidecar.istio.io/inject: "true" + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + annotations: + app.k8s.io/name: goodpod02 + name: goodpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..ad858a2d7 --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + app.k8s.io/name: busybox + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + annotations: + app.k8s.io/name: busybox + sidecar.istio.io/inject: "false" + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + annotations: + app.k8s.io/name: busybox + sidecar.istio.io/inject: "false" + containers: + - name: hello + image: busybox:1.35 + command: + - sleep + - 3600 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + annotations: + sidecar.istio.io/inject: "false" + app.k8s.io/name: busybox + containers: + - name: hello + image: busybox:1.35 + command: + - sleep + - 3600 + restartPolicy: OnFailure \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..387a650ab --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + annotations: + app.k8s.io/name: busybox + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + annotations: + app.k8s.io/name: busybox + sidecar.istio.io/inject: "true" + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + annotations: + app.k8s.io/name: busybox + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + annotations: + app.k8s.io/name: busybox + sidecar.istio.io/inject: "true" + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml new file mode 100644 index 000000000..c9b718b3c --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: prevent-disabling-injection-pods +version: 1.0.0 +displayName: Prevent Disabling Istio Sidecar Injection +createdAt: "2023-04-10T20:07:52.000Z" +description: >- + One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Pod" +digest: d9555f2aed790d8fabc6fc8c0ed603f6ee99dce599c4e0114b4a23d0b184fd75 diff --git a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml new file mode 100644 index 000000000..20e71a2b0 --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-disabling-injection-pods + annotations: + policies.kyverno.io/title: Prevent Disabling Istio Sidecar Injection + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + One way sidecar injection in an Istio service mesh may be accomplished is by defining + an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh + thereby reducing visibility. This policy ensures that Pods cannot set the annotation + `sidecar.istio.io/inject` to a value of `false`. +spec: + validationFailureAction: audit + background: true + rules: + - name: prohibit-inject-annotation + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false." + pattern: + metadata: + =(annotations): + =(sidecar.istio.io/inject): "!false" \ No newline at end of file From 4ad24eb4ee0fdc6b4b75e11cd185f998b1b39bb8 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:51:12 +0000 Subject: [PATCH 11/32] make corrections in chainsaw resources Signed-off-by: Chandan-DK --- .../.chainsaw-test/pod-bad.yaml | 4 ++-- .../.chainsaw-test/podcontroller-bad.yaml | 12 +++++++----- .../.chainsaw-test/podcontroller-good.yaml | 6 ++++-- .../.chainsaw-test/pod-bad.yaml | 4 ++-- .../.chainsaw-test/podcontroller-bad.yaml | 12 +++++++----- .../.chainsaw-test/podcontroller-good.yaml | 6 ++++-- 6 files changed, 26 insertions(+), 18 deletions(-) diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml index d68283137..3f2e6b492 100644 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml @@ -19,8 +19,8 @@ metadata: foo: bar annotations: sidecar.istio.io/inject: "false" - app.k8s.io/name: badpod01 - name: badpod01 + app.k8s.io/name: badpod02 + name: badpod02 spec: containers: - name: busybox diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml index ad858a2d7..90c90ffc0 100644 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml @@ -53,16 +53,17 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: app.k8s.io/name: busybox sidecar.istio.io/inject: "false" + spec: containers: - name: hello image: busybox:1.35 command: - sleep - - 3600 + - "3600" restartPolicy: OnFailure --- apiVersion: batch/v1 @@ -74,14 +75,15 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: sidecar.istio.io/inject: "false" app.k8s.io/name: busybox + spec: containers: - name: hello image: busybox:1.35 - command: + command: - sleep - - 3600 + - "3600" restartPolicy: OnFailure \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml index 387a650ab..59d1afa1b 100644 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml @@ -52,9 +52,10 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: app.k8s.io/name: busybox + spec: containers: - name: hello image: busybox:1.35 @@ -72,10 +73,11 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: app.k8s.io/name: busybox sidecar.istio.io/inject: "true" + spec: containers: - name: hello image: busybox:1.35 diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml index d68283137..3f2e6b492 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml @@ -19,8 +19,8 @@ metadata: foo: bar annotations: sidecar.istio.io/inject: "false" - app.k8s.io/name: badpod01 - name: badpod01 + app.k8s.io/name: badpod02 + name: badpod02 spec: containers: - name: busybox diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml index ad858a2d7..90c90ffc0 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml @@ -53,16 +53,17 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: app.k8s.io/name: busybox sidecar.istio.io/inject: "false" + spec: containers: - name: hello image: busybox:1.35 command: - sleep - - 3600 + - "3600" restartPolicy: OnFailure --- apiVersion: batch/v1 @@ -74,14 +75,15 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: sidecar.istio.io/inject: "false" app.k8s.io/name: busybox + spec: containers: - name: hello image: busybox:1.35 - command: + command: - sleep - - 3600 + - "3600" restartPolicy: OnFailure \ No newline at end of file diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml index 387a650ab..59d1afa1b 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml @@ -52,9 +52,10 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: app.k8s.io/name: busybox + spec: containers: - name: hello image: busybox:1.35 @@ -72,10 +73,11 @@ spec: jobTemplate: spec: template: - spec: + metadata: annotations: app.k8s.io/name: busybox sidecar.istio.io/inject: "true" + spec: containers: - name: hello image: busybox:1.35 From 5c1055de20122c50e497f1e59a166914cf4ae86d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:51:35 +0000 Subject: [PATCH 12/32] add kyverno tests for prevent-disabling-injection-pods Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 55 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 55 +++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml create mode 100644 istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml diff --git a/istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml b/istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..5aa5be9ad --- /dev/null +++ b/istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,55 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-disabling-injection-pods +policies: +- ../prevent-disabling-injection-pods.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/podcontroller-bad.yaml +- ../.chainsaw-test/pod-good.yaml +- ../.chainsaw-test/podcontroller-good.yaml +results: +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Pod + resources: + - badpod01 + - badpod02 + result: fail +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Deployment + resources: + - baddeploy01 + - baddeploy02 + result: fail +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: CronJob + resources: + - badcronjob01 + - badcronjob02 + result: fail +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Deployment + resources: + - gooddeploy01 + - gooddeploy02 + result: pass +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: CronJob + resources: + - goodcronjob01 + - goodcronjob02 + result: pass + diff --git a/istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml b/istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..5aa5be9ad --- /dev/null +++ b/istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,55 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-disabling-injection-pods +policies: +- ../prevent-disabling-injection-pods.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/podcontroller-bad.yaml +- ../.chainsaw-test/pod-good.yaml +- ../.chainsaw-test/podcontroller-good.yaml +results: +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Pod + resources: + - badpod01 + - badpod02 + result: fail +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Deployment + resources: + - baddeploy01 + - baddeploy02 + result: fail +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: CronJob + resources: + - badcronjob01 + - badcronjob02 + result: fail +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: Deployment + resources: + - gooddeploy01 + - gooddeploy02 + result: pass +- policy: prevent-disabling-injection-pods + rule: prohibit-inject-annotation + kind: CronJob + resources: + - goodcronjob01 + - goodcronjob02 + result: pass + From c0f95de7bd69ec6ac944f163b98c239fa1fa63f7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:52:04 +0000 Subject: [PATCH 13/32] convert prevent-disabling-injection-pods Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 16 +++++++------ .../prevent-disabling-injection-pods.yaml | 24 ++++++++++--------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml index c9b718b3c..6ce64fdb1 100644 --- a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml +++ b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: prevent-disabling-injection-pods +name: prevent-disabling-injection-pods-cel version: 1.0.0 -displayName: Prevent Disabling Istio Sidecar Injection -createdAt: "2023-04-10T20:07:52.000Z" +displayName: Prevent Disabling Istio Sidecar Injection in CEL expressions description: >- One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml ``` keywords: - kyverno - Istio + - CEL Expressions readme: | One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Istio in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d9555f2aed790d8fabc6fc8c0ed603f6ee99dce599c4e0114b4a23d0b184fd75 +digest: de257d6553747a35236deb1835a79bed01fb6bfc331156158c6b98d3016c0699 +createdAt: "2024-05-12T04:48:58Z" + diff --git a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml index 20e71a2b0..6461c02e9 100644 --- a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml +++ b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: prevent-disabling-injection-pods annotations: - policies.kyverno.io/title: Prevent Disabling Istio Sidecar Injection - policies.kyverno.io/category: Istio + policies.kyverno.io/title: Prevent Disabling Istio Sidecar Injection in CEL expressions + policies.kyverno.io/category: Istio in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- One way sidecar injection in an Istio service mesh may be accomplished is by defining @@ -16,7 +16,7 @@ metadata: thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: prohibit-inject-annotation @@ -26,8 +26,10 @@ spec: kinds: - Pod validate: - message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false." - pattern: - metadata: - =(annotations): - =(sidecar.istio.io/inject): "!false" \ No newline at end of file + cel: + expressions: + - expression: >- + !has(object.metadata.annotations) || !('sidecar.istio.io/inject' in object.metadata.annotations) || + object.metadata.annotations['sidecar.istio.io/inject'] != 'false' + message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false." + From 7ac7be26ce5ec2e8c3d3855ab6815db38fd32812 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:52:50 +0000 Subject: [PATCH 14/32] copy restrict-virtual-service-wildcard Signed-off-by: Chandan-DK --- .../.chainsaw-test/bad-vs.yaml | 55 +++++++++++++++++++ .../chainsaw-step-01-assert-1.yaml | 6 ++ .../chainsaw-step-01-assert-2.yaml | 13 +++++ .../.chainsaw-test/chainsaw-test.yaml | 33 +++++++++++ .../.chainsaw-test/good-vs.yaml | 54 ++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 +++++++ .../.kyverno-test/resources.yaml | 54 ++++++++++++++++++ .../artifacthub-pkg.yml | 22 ++++++++ .../restrict-virtual-service-wildcard.yaml | 44 +++++++++++++++ 9 files changed, 302 insertions(+) create mode 100644 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml create mode 100755 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-2.yaml create mode 100755 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml create mode 100644 istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml create mode 100644 istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml create mode 100644 istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml create mode 100644 istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml new file mode 100644 index 000000000..9801173e7 --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml @@ -0,0 +1,55 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: badvs01 +spec: + hosts: + - "*.com" + - "foo.com" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: badvs02 +spec: + hosts: + - "bar.com" + - "*.*" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..e823cc767 --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-virtual-service-wildcard +status: + ready: true diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-2.yaml new file mode 100755 index 000000000..5380004fb --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-2.yaml @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io +spec: {} +status: + acceptedNames: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + storedVersions: + - v1alpha3 diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..9f29d00ac --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,33 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-virtual-service-wildcard +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restrict-virtual-service-wildcard.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: restrict-virtual-service-wildcard + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: good-vs.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-vs.yaml diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml new file mode 100644 index 000000000..41e1586be --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml @@ -0,0 +1,54 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: goodvs01 +spec: + hosts: + - "foo.com" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: goodvs02 +spec: + hosts: + - "foo.com" + - "bar.foo" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml b/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1bd8ac6a8 --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-virtual-service-wildcard +policies: +- ../restrict-virtual-service-wildcard.yaml +resources: +- resources.yaml +results: +- kind: VirtualService + policy: restrict-virtual-service-wildcard + resources: + - badvs + result: fail + rule: block-virtual-service-wildcard +- kind: VirtualService + policy: restrict-virtual-service-wildcard + resources: + - goodvs + result: pass + rule: block-virtual-service-wildcard diff --git a/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml b/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml new file mode 100644 index 000000000..0263be03d --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: badvs +spec: + hosts: + - "*.com" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: goodvs +spec: + hosts: + - "foo.com" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml b/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml new file mode 100644 index 000000000..aa08fe72b --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: restrict-virtual-service-wildcard +version: 1.0.0 +displayName: Restrict Virtual Service Host with Wildcards +createdAt: "2023-04-10T20:07:52.000Z" +description: >- + Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "VirtualService" +digest: 34ccfc30dd8bb8dd88099456cf3dff05d48ca160d844a897278e18b389f1b394 diff --git a/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml b/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml new file mode 100644 index 000000000..40ebae537 --- /dev/null +++ b/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-virtual-service-wildcard + annotations: + policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.4 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: VirtualService + policies.kyverno.io/description: >- + Virtual Services optionally accept a wildcard as an alternative + to precise matching. In some cases, this may be too permissive as it + would direct unintended traffic to the given resource. This + policy enforces that any Virtual Service host does not contain a wildcard + character and allows for more governance when a single mesh deployment + model is used. +spec: + validationFailureAction: audit + background: true + rules: + - name: block-virtual-service-wildcard + match: + any: + - resources: + kinds: + - VirtualService + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: AnyIn + value: ["CREATE", "UPDATE"] + validate: + message: "Wildcards are not permitted as hosts." + foreach: + - list: "request.object.spec.hosts" + deny: + conditions: + any: + - key: "{{ contains(element, '*') }}" + operator: Equals + value: true \ No newline at end of file From cd389013d3a8642eae5e7bd877c0e61bb212ab25 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:54:19 +0000 Subject: [PATCH 15/32] convert restrict-virtual-service-wildcard Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 16 +++++----- .../restrict-virtual-service-wildcard.yaml | 31 +++++++------------ 2 files changed, 20 insertions(+), 27 deletions(-) diff --git a/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml b/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml index aa08fe72b..d1e334661 100644 --- a/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml +++ b/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: restrict-virtual-service-wildcard +name: restrict-virtual-service-wildcard-cel version: 1.0.0 -displayName: Restrict Virtual Service Host with Wildcards -createdAt: "2023-04-10T20:07:52.000Z" +displayName: Restrict Virtual Service Host with Wildcards in CEL expressions description: >- Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml ``` keywords: - kyverno - Istio + - CEL Expressions readme: | Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Istio in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "VirtualService" -digest: 34ccfc30dd8bb8dd88099456cf3dff05d48ca160d844a897278e18b389f1b394 +digest: 326d2e299d4424ae5c33c8675970060c0d7ba2f1ba00985c54c61d6c42909554 +createdAt: "2024-05-12T04:53:55Z" + diff --git a/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml b/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml index 40ebae537..59a63f82a 100644 --- a/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml +++ b/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: restrict-virtual-service-wildcard annotations: - policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards - policies.kyverno.io/category: Istio + policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards in CEL expressions + policies.kyverno.io/category: Istio in CEL expressions policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.8.4 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: VirtualService policies.kyverno.io/description: >- Virtual Services optionally accept a wildcard as an alternative @@ -18,7 +18,7 @@ metadata: character and allows for more governance when a single mesh deployment model is used. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: block-virtual-service-wildcard @@ -27,18 +27,9 @@ spec: - resources: kinds: - VirtualService - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: AnyIn - value: ["CREATE", "UPDATE"] validate: - message: "Wildcards are not permitted as hosts." - foreach: - - list: "request.object.spec.hosts" - deny: - conditions: - any: - - key: "{{ contains(element, '*') }}" - operator: Equals - value: true \ No newline at end of file + cel: + expressions: + - expression: "!has(object.spec.hosts) || !object.spec.hosts.exists(host, host.contains('*'))" + message: "Wildcards are not permitted as hosts." + From e00c3538224cf31e5d43a6421dba576e07ba4c1a Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 04:55:01 +0000 Subject: [PATCH 16/32] add CI tests for istio-cel Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c222b5aaf..4ff5acb1a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -38,6 +38,7 @@ jobs: - ^external-secret-operator$ - ^flux$ - ^istio$ + - ^istio-cel$ - ^karpenter$ - ^kasten$ - ^kubecost$ From a65ee2b2c9852173953ecbf4b371b25896ed6c0d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 06:58:42 +0000 Subject: [PATCH 17/32] copy require-kubecost-labels Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++ .../.chainsaw-test/pod-bad.yaml | 37 +++++++ .../.chainsaw-test/pod-good.yaml | 15 +++ .../.chainsaw-test/podcontroller-bad.yaml | 82 +++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 99 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 25 +++++ .../.kyverno-test/resource.yaml | 73 ++++++++++++++ .../artifacthub-pkg.yml | 21 ++++ .../require-kubecost-labels.yaml | 38 +++++++ 10 files changed, 434 insertions(+) create mode 100755 kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml create mode 100644 kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml create mode 100644 kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml create mode 100644 kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml create mode 100644 kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml create mode 100644 kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml create mode 100644 kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml create mode 100644 kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml create mode 100644 kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..ed44c7cf3 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-kubecost-labels +status: + ready: true diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..f9c73cfe7 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-kubecost-labels +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-kubecost-labels.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-kubecost-labels + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..68e1fe0a1 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + env: foo + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + owner: foo + team: bar + department: foo + app: bar + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..50ec73c0a --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + owner: foo + team: bar + department: foo + app: bar + env: foo + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..d8db785f5 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + foo: bar + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + owner: "foo" + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + foo: bar + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + owner: "foo" + team: "foo" + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..4e85726df --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + owner: "foo" + team: "foo" + department: "foo" + env: "foo" + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeploy02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + owner: "foo" + team: "foo" + department: "foo" + env: "foo" + foo: bar + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + owner: "foo" + team: "foo" + department: "foo" + app: "foo" + env: "foo" + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + owner: "foo" + team: "foo" + department: "foo" + app: "foo" + env: "foo" + foo: bar + spec: + containers: + - name: hello + image: busybox:1.35 + command: + - "sleep" + - "3600" + restartPolicy: OnFailure \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml b/kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..41e2fbf5f --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-kubecost-labels +policies: +- ../require-kubecost-labels.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: require-kubecost-labels + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + result: fail + rule: require-labels +- kind: Pod + policy: require-kubecost-labels + resources: + - goodpod + result: pass + rule: require-labels diff --git a/kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml b/kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml new file mode 100644 index 000000000..17ab732f0 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod + labels: + owner: John Doe + team: falcon + department: eng + app: redis + env: prod2 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 + labels: + owner: John Doe +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 + labels: + owner: John Doe + team: falcon +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 + labels: + owner: John Doe + team: falcon + department: eng +spec: + containers: + - image: busybox:1.35 + name: busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 + labels: + owner: John Doe + team: falcon + department: eng + app: redis +spec: + containers: + - image: busybox:1.35 + name: busybox diff --git a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml new file mode 100644 index 000000000..9e5d28706 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: require-kubecost-labels +version: 1.0.0 +displayName: Require Kubecost Labels +createdAt: "2023-05-07T00:00:02.000Z" +description: >- + Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used to organize and group workloads in different ways. This policy requires that the labels `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), these labels will also be required for all Pod controllers. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubecost/require-kubecost-labels/require-kubecost-labels.yaml + ``` +keywords: + - kyverno + - Kubecost +readme: | + Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used to organize and group workloads in different ways. This policy requires that the labels `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), these labels will also be required for all Pod controllers. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kubecost" + kyverno/subject: "Pod,Label" +digest: 246ad156508c72f7838533b5c5dbd241cc5c32e377f32999cdb902cb10d4ae44 diff --git a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml new file mode 100644 index 000000000..d36444226 --- /dev/null +++ b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-kubecost-labels + annotations: + policies.kyverno.io/title: Require Kubecost Labels + policies.kyverno.io/category: Kubecost + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Label + kyverno.io/kyverno-version: 1.10.0 + kyverno.io/kubernetes-version: "1.25" + policies.kyverno.io/description: >- + Kubecost can use labels assigned to Pods in order to track and display + cost allocation in a granular way. These labels, which can be customized, can be used + to organize and group workloads in different ways. This policy requires that the labels + `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno + autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), + these labels will also be required for all Pod controllers. +spec: + validationFailureAction: Audit + background: true + rules: + - name: require-labels + match: + any: + - resources: + kinds: + - Pod + validate: + message: "The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods." + pattern: + metadata: + labels: + owner: "?*" + team: "?*" + department: "?*" + app: "?*" + env: "?*" \ No newline at end of file From 139643925172f8071284f0a3991f43ab269f10b0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:00:19 +0000 Subject: [PATCH 18/32] correct chainsaw resource Signed-off-by: Chandan-DK --- .../.chainsaw-test/podcontroller-bad.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml index d8db785f5..44277f3ba 100644 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml @@ -8,7 +8,7 @@ spec: replicas: 1 selector: matchLabels: - app: busybox + foo: bar template: metadata: labels: @@ -28,7 +28,7 @@ spec: replicas: 1 selector: matchLabels: - app: busybox + owner: "foo" template: metadata: labels: From e8702112193b85d0c64950abe4192ac070813357 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:00:30 +0000 Subject: [PATCH 19/32] convert require-kubecost-labels Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++---- .../require-kubecost-labels.yaml | 28 ++++++++++--------- 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml index 9e5d28706..1ea848ea9 100644 --- a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml +++ b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: require-kubecost-labels +name: require-kubecost-labels-cel version: 1.0.0 -displayName: Require Kubecost Labels -createdAt: "2023-05-07T00:00:02.000Z" +displayName: Require Kubecost Labels in CEL expressions description: >- Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used to organize and group workloads in different ways. This policy requires that the labels `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), these labels will also be required for all Pod controllers. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubecost/require-kubecost-labels/require-kubecost-labels.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml ``` keywords: - kyverno - Kubecost + - CEL Expressions readme: | Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used to organize and group workloads in different ways. This policy requires that the labels `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), these labels will also be required for all Pod controllers. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Kubecost" + kyverno/category: "Kubecost in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Label" -digest: 246ad156508c72f7838533b5c5dbd241cc5c32e377f32999cdb902cb10d4ae44 +digest: d925264dc13ebe9a81c253fceb6ad1b6ded6888d6c59126006523dc1c97825f9 +createdAt: "2024-05-12T06:59:59Z" + diff --git a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml index d36444226..e7e35ba05 100644 --- a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml +++ b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: require-kubecost-labels annotations: - policies.kyverno.io/title: Require Kubecost Labels - policies.kyverno.io/category: Kubecost + policies.kyverno.io/title: Require Kubecost Labels in CEL expressions + policies.kyverno.io/category: Kubecost in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Label - kyverno.io/kyverno-version: 1.10.0 - kyverno.io/kubernetes-version: "1.25" + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used @@ -27,12 +27,14 @@ spec: kinds: - Pod validate: - message: "The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods." - pattern: - metadata: - labels: - owner: "?*" - team: "?*" - department: "?*" - app: "?*" - env: "?*" \ No newline at end of file + cel: + expressions: + - expression: >- + has(object.metadata.labels) && + has(object.metadata.labels.owner) && object.metadata.labels.owner != '' && + has(object.metadata.labels.team) && object.metadata.labels.team != '' && + has(object.metadata.labels.department) && object.metadata.labels.department != '' && + has(object.metadata.labels.app) && object.metadata.labels.app != '' && + has(object.metadata.labels.env) && object.metadata.labels.env != '' + message: "The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods." + From a4d7a13043e906d5d1c1d3b047cf3b2c3292a423 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:01:40 +0000 Subject: [PATCH 20/32] correct chainsaw resource Signed-off-by: Chandan-DK --- .../.chainsaw-test/podcontroller-bad.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml index d8db785f5..44277f3ba 100644 --- a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml @@ -8,7 +8,7 @@ spec: replicas: 1 selector: matchLabels: - app: busybox + foo: bar template: metadata: labels: @@ -28,7 +28,7 @@ spec: replicas: 1 selector: matchLabels: - app: busybox + owner: "foo" template: metadata: labels: From e704c6bf116ce373f0bdc16b03d47186f46c29c1 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:02:56 +0000 Subject: [PATCH 21/32] copy enforce-instancetype Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 23 +++++++ .../.chainsaw-test/policy-ready.yaml | 6 ++ .../.chainsaw-test/vm-bad.yaml | 37 ++++++++++ .../.chainsaw-test/vm-good.yaml | 30 +++++++++ .../.kyverno-test/kyverno-test.yaml | 21 ++++++ .../.kyverno-test/resource.yaml | 67 +++++++++++++++++++ .../enforce-instancetype/artifacthub-pkg.yml | 22 ++++++ .../enforce-instancetype.yaml | 29 ++++++++ 8 files changed, 235 insertions(+) create mode 100755 kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml create mode 100644 kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml create mode 100644 kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml create mode 100644 kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml create mode 100644 kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml create mode 100644 kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml create mode 100644 kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml create mode 100644 kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..b4c655980 --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,23 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-instancetype +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-instancetype.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: vm-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: vm-bad.yaml diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..575119eb7 --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k6t-enforce-instancetype +status: + ready: true \ No newline at end of file diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml new file mode 100644 index 000000000..78917c4a9 --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml @@ -0,0 +1,37 @@ +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + labels: + kubevirt.io/vm: vm-cirros + name: vm-invalid +spec: + running: false + template: + metadata: + labels: + kubevirt.io/vm: vm-cirros + spec: + domain: + devices: + disks: + - disk: + bus: virtio + name: containerdisk + - disk: + bus: virtio + name: cloudinitdisk + resources: + requests: + memory: 128Mi + terminationGracePeriodSeconds: 0 + volumes: + - containerDisk: + image: busybox:1.35 + name: containerdisk + - cloudInitNoCloud: + userData: | + #!/bin/sh + + echo 'printed from cloud-init userdata' + name: cloudinitdisk + diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml new file mode 100644 index 000000000..788d6f3fb --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml @@ -0,0 +1,30 @@ +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + labels: + kubevirt.io/vm: vm-cirros + name: vm-valid +spec: + running: false + instancetype: + name: c1.small + preference: + name: linux + template: + metadata: + labels: + kubevirt.io/vm: vm-cirros + spec: + domain: + devices: {} + terminationGracePeriodSeconds: 0 + volumes: + - containerDisk: + image: busybox:1.35 + name: containerdisk + - cloudInitNoCloud: + userData: | + #!/bin/sh + + echo 'printed from cloud-init userdata' + name: cloudinitdisk \ No newline at end of file diff --git a/kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml b/kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..921505525 --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-instancetype +policies: +- ../enforce-instancetype.yaml +resources: +- resource.yaml +results: +- kind: VirtualMachine + policy: k6t-enforce-instancetype + resources: + - vm-invalid + result: fail + rule: k6t-ensure-instance-type-and-preference +- kind: VirtualMachine + policy: k6t-enforce-instancetype + resources: + - vm-valid + result: pass + rule: k6t-ensure-instance-type-and-preference diff --git a/kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml b/kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml new file mode 100644 index 000000000..d9ed1f492 --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + labels: + kubevirt.io/vm: vm-cirros + name: vm-valid +spec: + running: false + instancetype: + name: c1.small + preference: + name: linux + template: + metadata: + labels: + kubevirt.io/vm: vm-cirros + spec: + terminationGracePeriodSeconds: 0 + volumes: + - containerDisk: + image: registry:5000/kubevirt/cirros-container-disk-demo:devel + name: containerdisk + - cloudInitNoCloud: + userData: | + #!/bin/sh + + echo 'printed from cloud-init userdata' + name: cloudinitdisk +--- +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + labels: + kubevirt.io/vm: vm-cirros + name: vm-invalid +spec: + running: false + template: + metadata: + labels: + kubevirt.io/vm: vm-cirros + spec: + domain: + devices: + disks: + - disk: + bus: virtio + name: containerdisk + - disk: + bus: virtio + name: cloudinitdisk + resources: + requests: + memory: 128Mi + terminationGracePeriodSeconds: 0 + volumes: + - containerDisk: + image: registry:5000/kubevirt/cirros-container-disk-demo:devel + name: containerdisk + - cloudInitNoCloud: + userData: | + #!/bin/sh + + echo 'printed from cloud-init userdata' + name: cloudinitdisk + diff --git a/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml b/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml new file mode 100644 index 000000000..73d5da7bf --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: enforce-instancetype +version: 1.1.0 +displayName: Enforce instanceTypes +createdAt: "2023-04-10T20:18:08.000Z" +description: >- + Check VirtualMachines and validate that they are using an instance type and preference. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubevirt/enforce-instancetype/enforce-instancetype.yaml + ``` +keywords: + - kyverno + - KubeVirt +readme: | + Check VirtualMachines and validate that they are using an instance type and preference. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "KubeVirt" + kyverno/kubernetesVersion: "1.24-1.25" + kyverno/subject: "VirtualMachine" +digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439 diff --git a/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml b/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml new file mode 100644 index 000000000..7148f7f2e --- /dev/null +++ b/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k6t-enforce-instancetype + annotations: + policies.kyverno.io/title: Enforce instanceTypes + policies.kyverno.io/category: KubeVirt + policies.kyverno.io/subject: VirtualMachine + policies.kyverno.io/description: >- + Check VirtualMachines and validate that they are using an instance type and preference. + kyverno.io/kyverno-version: "1.8.0-rc2" + kyverno.io/kubernetes-version: "1.24-1.25" +spec: + validationFailureAction: enforce + rules: + - name: k6t-ensure-instance-type-and-preference + match: + any: + - resources: + kinds: + - VirtualMachine + validate: + message: "VirtualMachines must use instance types and preferences" + pattern: + spec: + instancetype: + name: ?* + preference: + name: ?* From c7cde054f509b4f9c965f0bccabb4793ec9368f7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:03:51 +0000 Subject: [PATCH 22/32] convert enforce-instancetype Signed-off-by: Chandan-DK --- .../enforce-instancetype/artifacthub-pkg.yml | 14 +++++----- .../enforce-instancetype.yaml | 26 ++++++++++--------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml b/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml index 73d5da7bf..1fe9e2669 100644 --- a/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml +++ b/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: enforce-instancetype +name: enforce-instancetype-cel version: 1.1.0 -displayName: Enforce instanceTypes -createdAt: "2023-04-10T20:18:08.000Z" +displayName: Enforce instanceTypes in CEL expressions description: >- Check VirtualMachines and validate that they are using an instance type and preference. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubevirt/enforce-instancetype/enforce-instancetype.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml ``` keywords: - kyverno - KubeVirt + - CEL Expressions readme: | Check VirtualMachines and validate that they are using an instance type and preference. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "KubeVirt" - kyverno/kubernetesVersion: "1.24-1.25" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "VirtualMachine" -digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439 +digest: 2d68967a43096d0649d0485e8f2281ab06c9721ce64ea31bcd278ef67ab6bbbe +createdAt: "2024-05-12T07:03:27Z" + diff --git a/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml b/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml index 7148f7f2e..c79ae9022 100644 --- a/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml +++ b/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml @@ -3,15 +3,15 @@ kind: ClusterPolicy metadata: name: k6t-enforce-instancetype annotations: - policies.kyverno.io/title: Enforce instanceTypes - policies.kyverno.io/category: KubeVirt + policies.kyverno.io/title: Enforce instanceTypes in CEL expressions + policies.kyverno.io/category: KubeVirt in CEL policies.kyverno.io/subject: VirtualMachine policies.kyverno.io/description: >- Check VirtualMachines and validate that they are using an instance type and preference. - kyverno.io/kyverno-version: "1.8.0-rc2" - kyverno.io/kubernetes-version: "1.24-1.25" + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: k6t-ensure-instance-type-and-preference match: @@ -20,10 +20,12 @@ spec: kinds: - VirtualMachine validate: - message: "VirtualMachines must use instance types and preferences" - pattern: - spec: - instancetype: - name: ?* - preference: - name: ?* + cel: + expressions: + - expression: >- + has(object.spec.instancetype) && + has(object.spec.instancetype.name) && object.spec.instancetype.name != '' && + has(object.spec.preference) && + has(object.spec.preference.name) && object.spec.preference.name != '' + message: "VirtualMachines must use instance types and preferences" + From ebe227b72b7ce2a82d1872c61054fc51b4581bde Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:05:07 +0000 Subject: [PATCH 23/32] copy k10-data-protection-by-label Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../chainsaw-step-01-assert-2.yaml | 13 ++++ .../.chainsaw-test/chainsaw-test.yaml | 60 +++++++++++++++ .../deployment-bad-badlabel.yaml | 24 ++++++ .../deployment-bad-nolabel.yaml | 23 ++++++ .../.chainsaw-test/deployment-good.yaml | 75 +++++++++++++++++++ .../nginx-deployment-invalid.yaml | 31 ++++++++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/ss-bad-badlabel.yaml | 23 ++++++ .../.chainsaw-test/ss-bad-nolabel.yaml | 22 ++++++ .../.chainsaw-test/ss-good.yaml | 65 ++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 ++++++ .../.kyverno-test/nginx-deployment.yaml | 60 +++++++++++++++ .../artifacthub-pkg.yml | 22 ++++++ .../k10-data-protection-by-label.yaml | 33 ++++++++ 15 files changed, 482 insertions(+) create mode 100755 kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml create mode 100755 kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml create mode 100644 kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml create mode 100644 kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..4e8dfe8c2 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-data-protection-by-label +status: + ready: true diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml new file mode 100755 index 000000000..d660e00cb --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.config.kio.kasten.io +spec: {} +status: + acceptedNames: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + storedVersions: + - v1alpha1 diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..107d75e22 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,60 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-data-protection-by-label +spec: + steps: + - name: step-01 + try: + - apply: + file: ../k10-data-protection-by-label.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: k10-data-protection-by-label + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: deployment-good.yaml + - apply: + file: ss-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployment-bad-badlabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployment-bad-nolabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: ss-bad-badlabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: ss-bad-nolabel.yaml + - name: step-98 + try: + - script: + content: kubectl delete deployments --all --force --grace-period=0 -n k10-dplabel-ns + - script: + content: kubectl delete statefulsets --all --force --grace-period=0 -n k10-dplabel-ns + - script: + content: kubectl delete pods --all --force --grace-period=0 -n k10-dplabel-ns diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml new file mode 100644 index 000000000..040ccdb48 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeploy02 + labels: + app: busybox + purpose: production + dataprotection: foo-bar +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml new file mode 100644 index 000000000..c34fd4785 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeploy01 + labels: + app: busybox + purpose: production +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml new file mode 100644 index 000000000..dcf3c489e --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeploy01 + namespace: k10-dplabel-ns + labels: + app: busybox + purpose: production + dataprotection: k10-goldpolicy +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeploy02 + namespace: k10-dplabel-ns + labels: + app: busybox + purpose: development + dataprotection: foo-bar +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeploy03 + namespace: k10-dplabel-ns + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml new file mode 100644 index 000000000..566318b81 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml @@ -0,0 +1,31 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: nginx + labels: + name: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: nginx + labels: + app: nginx + purpose: production + dataprotection: none # invalid named K10 Policy!! +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..00e9c20e7 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-dplabel-ns \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml new file mode 100644 index 000000000..cf1a15841 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bad-ss02 + labels: + purpose: production + dataprotection: foo-bar +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml new file mode 100644 index 000000000..397a81231 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bad-ss01 + labels: + purpose: production +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml new file mode 100644 index 000000000..bc6216c38 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-ss01 + namespace: k10-dplabel-ns + labels: + purpose: production + dataprotection: k10-silverpolicy +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-ss02 + namespace: k10-dplabel-ns +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-ss02 + namespace: k10-dplabel-ns + labels: + purpose: development + dataprotection: foo-bar +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml b/kasten-cel/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..58f925a36 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests +policies: +- ../k10-data-protection-by-label.yaml +resources: +- nginx-deployment.yaml +results: +- kind: Deployment + policy: k10-data-protection-by-label + resources: + - nginx-deployment-invalid + result: fail + rule: k10-data-protection-by-label +- kind: Deployment + policy: k10-data-protection-by-label + resources: + - nginx-deployment + result: pass + rule: k10-data-protection-by-label diff --git a/kasten-cel/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml b/kasten-cel/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml new file mode 100644 index 000000000..9ceb00a66 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml @@ -0,0 +1,60 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: nginx + labels: + name: nginx + purpose: production + dataprotection: k10-goldpolicy + immutable: enabled +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: nginx + labels: + app: nginx + purpose: production + dataprotection: k10-goldpolicy # set a policy to use our 'gold' standard data protection policy (generate-gold-backup-policy) + immutable: enabled +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment-invalid + namespace: nginx + labels: + app: nginx + purpose: production + dataprotection: none # invalid named K10 Policy!! +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml new file mode 100644 index 000000000..fc23cdbe9 --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-data-protection-by-label +version: 1.0.0 +displayName: Check Data Protection By Label +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-data-protection-by-label/k10-data-protection-by-label.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Deployment, StatefulSet" +digest: 7f4a303a81cd673f876f42a4c8bf74f4d197f0a005907f2b3d09f3745bb749dc diff --git a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml new file mode 100644 index 000000000..03e0606cf --- /dev/null +++ b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-data-protection-by-label + annotations: + policies.kyverno.io/title: Check Data Protection By Label + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Deployment, StatefulSet + policies.kyverno.io/description: >- + Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. + Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. +spec: + validationFailureAction: audit + rules: + - name: k10-data-protection-by-label + match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + selector: + matchLabels: + purpose: production + validate: + message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-)" + pattern: + metadata: + labels: + dataprotection: "k10-*" From c6fe9c5258bd6c7089cade177e65a8576298e729 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:06:16 +0000 Subject: [PATCH 24/32] convert k10-data-protection-by-label Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 16 ++++++++------ .../k10-data-protection-by-label.yaml | 22 +++++++++---------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml index fc23cdbe9..008b570cb 100644 --- a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml +++ b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: k10-data-protection-by-label +name: k10-data-protection-by-label-cel version: 1.0.0 -displayName: Check Data Protection By Label -createdAt: "2023-04-10T20:12:53.000Z" +displayName: Check Data Protection By Label in CEL expressions description: >- Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-data-protection-by-label/k10-data-protection-by-label.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml ``` keywords: - kyverno - Kasten K10 by Veeam + - CEL Expressions readme: | Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.21-1.22" + kyverno/category: "Kasten K10 by Veeam in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Deployment, StatefulSet" -digest: 7f4a303a81cd673f876f42a4c8bf74f4d197f0a005907f2b3d09f3745bb749dc +digest: 4df1046ee3ba0839eb9598f6fff8f70ff2ae8567b83c285e01861eb5e40bc69d +createdAt: "2024-05-12T07:05:48Z" + diff --git a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml index 03e0606cf..5380dda59 100644 --- a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml +++ b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml @@ -3,17 +3,17 @@ kind: ClusterPolicy metadata: name: k10-data-protection-by-label annotations: - policies.kyverno.io/title: Check Data Protection By Label - policies.kyverno.io/category: Kasten K10 by Veeam - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/title: Check Data Protection By Label in CEL expressions + policies.kyverno.io/category: Kasten K10 by Veeam in CEL + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Deployment, StatefulSet policies.kyverno.io/description: >- Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: k10-data-protection-by-label match: @@ -26,8 +26,8 @@ spec: matchLabels: purpose: production validate: - message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-)" - pattern: - metadata: - labels: - dataprotection: "k10-*" + cel: + expressions: + - expression: "has(object.metadata.labels) && has(object.metadata.labels.dataprotection) && object.metadata.labels.dataprotection.startsWith('k10-')" + message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-)" + From dcadbf71a65481f6b7c55bc69e582912055c588c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:06:59 +0000 Subject: [PATCH 25/32] copy k10-hourly-rpo Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../chainsaw-step-01-assert-2.yaml | 13 ++++ .../.chainsaw-test/chainsaw-test.yaml | 33 +++++++++ .../.chainsaw-test/k10-bad-policy.yaml | 34 +++++++++ .../.chainsaw-test/k10-good-policy.yaml | 34 +++++++++ .../.kyverno-test/backup-export-policy.yaml | 73 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 21 ++++++ kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml | 22 ++++++ kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml | 32 ++++++++ 9 files changed, 268 insertions(+) create mode 100755 kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml create mode 100755 kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml create mode 100644 kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml create mode 100644 kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml create mode 100644 kasten-cel/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml create mode 100644 kasten-cel/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml create mode 100644 kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml create mode 100644 kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..3fa1c7221 --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-policy-hourly-rpo +status: + ready: true diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml new file mode 100755 index 000000000..d660e00cb --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.config.kio.kasten.io +spec: {} +status: + acceptedNames: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + storedVersions: + - v1alpha1 diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..8630e0e9a --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,33 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-hourly-rpo +spec: + steps: + - name: step-01 + try: + - apply: + file: ../k10-hourly-rpo.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: k10-policy-hourly-rpo + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: k10-good-policy.yaml + - apply: + expect: + - check: + ($error != null): true + file: k10-bad-policy.yaml diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml new file mode 100644 index 000000000..1bc2dd2d6 --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml @@ -0,0 +1,34 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-hourlyrpo-badpolicy01 + labels: + appPriority: Mission-Critical +spec: + comment: My sample custom backup policy + frequency: '@daily' + subFrequency: + minutes: [30] + hours: [22,7] + weekdays: [5] + days: [15] + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml new file mode 100644 index 000000000..8acf13284 --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml @@ -0,0 +1,34 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-hourlyrpo-goodpolicy01 + labels: + appPriority: Mission-Critical +spec: + comment: My sample custom backup policy + frequency: '@hourly' + subFrequency: + minutes: [30] + hours: [22,7] + weekdays: [5] + days: [15] + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/kasten-cel/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml b/kasten-cel/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml new file mode 100644 index 000000000..96430f81a --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml @@ -0,0 +1,73 @@ +# An example compliant K10 Policy +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: hourly-policy + namespace: kasten-io + labels: + appPriority: Mission-Critical +spec: + comment: My sample custom backup policy + frequency: '@hourly' # change this to @daily to test the 'audit_mission_critical_RPO' policy + subFrequency: + minutes: [30] + hours: [22,7] + weekdays: [5] + days: [15] + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export # comment this line out to test 'enforce_3-2-1' policy + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp +--- +# An example compliant K10 Policy +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: daily-policy + namespace: kasten-io + labels: + appPriority: Mission-Critical +spec: + comment: My sample custom backup policy + frequency: '@daily' # change this to @daily to test the 'audit_mission_critical_RPO' policy + subFrequency: + minutes: [30] + hours: [22,7] + weekdays: [5] + days: [15] + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export # comment this line out to test 'enforce_3-2-1' policy + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp diff --git a/kasten-cel/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml b/kasten-cel/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..965e355f5 --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests +policies: +- ../k10-hourly-rpo.yaml +resources: +- backup-export-policy.yaml +results: +- kind: Policy + policy: k10-policy-hourly-rpo + resources: + - daily-policy + result: fail + rule: k10-policy-hourly-rpo +- kind: Policy + policy: k10-policy-hourly-rpo + resources: + - hourly-policy + result: pass + rule: k10-policy-hourly-rpo diff --git a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml new file mode 100644 index 000000000..c16fb3023 --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-hourly-rpo +version: 1.0.0 +displayName: Check Hourly RPO +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Policy" +digest: 8be5a4f3ab8198e567ab442b59755c08bbb0ef72ff340a5c52821199c7ee80fa diff --git a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml new file mode 100644 index 000000000..05515c682 --- /dev/null +++ b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-policy-hourly-rpo + annotations: + policies.kyverno.io/title: Check Hourly RPO + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. + This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical +spec: + validationFailureAction: audit + rules: + - name: k10-policy-hourly-rpo + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + selector: + matchLabels: + appPriority: Mission-Critical + validate: + message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" + pattern: + spec: + frequency: '@hourly' # In K10, this is checking Hourly at the action: backup level. By default, any action: export will use the action: backup frequency. + From 046781b8e890f7a7e711f41efb48ce79052fc816 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:07:47 +0000 Subject: [PATCH 26/32] convert k10-hourly-rpo Signed-off-by: Chandan-DK --- kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml | 16 ++++++++------- kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml | 20 +++++++++---------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml index c16fb3023..690cab2b7 100644 --- a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml +++ b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: k10-hourly-rpo +name: k10-hourly-rpo-cel version: 1.0.0 -displayName: Check Hourly RPO -createdAt: "2023-04-10T20:12:53.000Z" +displayName: Check Hourly RPO in CEL expressions description: >- K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml ``` keywords: - kyverno - Kasten K10 by Veeam + - CEL Expressions readme: | K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.21-1.22" + kyverno/category: "Kasten K10 by Veeam in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Policy" -digest: 8be5a4f3ab8198e567ab442b59755c08bbb0ef72ff340a5c52821199c7ee80fa +digest: 1d7655c85db2e02fd3497596f1a333759a0c5baec9fc7b0efdb867ba89a673f3 +createdAt: "2024-05-12T07:07:31Z" + diff --git a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml index 05515c682..a73f18786 100644 --- a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml +++ b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml @@ -3,17 +3,17 @@ kind: ClusterPolicy metadata: name: k10-policy-hourly-rpo annotations: - policies.kyverno.io/title: Check Hourly RPO - policies.kyverno.io/category: Kasten K10 by Veeam - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/title: Check Hourly RPO in CEL expressions + policies.kyverno.io/category: Kasten K10 by Veeam in CEL + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Policy policies.kyverno.io/description: >- K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: k10-policy-hourly-rpo match: @@ -25,8 +25,8 @@ spec: matchLabels: appPriority: Mission-Critical validate: - message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" - pattern: - spec: - frequency: '@hourly' # In K10, this is checking Hourly at the action: backup level. By default, any action: export will use the action: backup frequency. + cel: + expressions: + - expression: "has(object.spec.frequency) && object.spec.frequency == '@hourly'" + message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" From 3354995d63bc3cb02cd40fadbe0c983c2fb1dfd7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:08:27 +0000 Subject: [PATCH 27/32] copy k10-validate-ns-by-preset-label Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../chainsaw-step-01-assert-2.yaml | 13 ++++++ .../.chainsaw-test/chainsaw-test.yaml | 33 +++++++++++++++ .../.chainsaw-test/ns-bad.yaml | 11 +++++ .../.chainsaw-test/ns-good.yaml | 27 +++++++++++++ .../.kyverno-test/kyverno-test.yaml | 24 +++++++++++ .../.kyverno-test/test-resource.yaml | 32 +++++++++++++++ .../artifacthub-pkg.yml | 22 ++++++++++ .../k10-validate-ns-by-preset-label.yaml | 40 +++++++++++++++++++ 9 files changed, 208 insertions(+) create mode 100755 kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml create mode 100755 kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml create mode 100644 kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml create mode 100644 kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml create mode 100644 kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml create mode 100644 kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml create mode 100644 kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml create mode 100644 kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..27e86f51b --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-validate-ns-by-preset-label +status: + ready: true diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml new file mode 100755 index 000000000..d660e00cb --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml @@ -0,0 +1,13 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.config.kio.kasten.io +spec: {} +status: + acceptedNames: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + storedVersions: + - v1alpha1 diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..3427db172 --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,33 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-validate-ns-by-preset-label +spec: + steps: + - name: step-01 + try: + - apply: + file: ../k10-validate-ns-by-preset-label.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: k10-validate-ns-by-preset-label + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: ns-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml new file mode 100644 index 000000000..baf81215b --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-validatens-badns01 + labels: + dataprotection: foo-bar +--- +apiVersion: v1 +kind: Namespace +metadata: + name: k10-validatens-badns02 \ No newline at end of file diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml new file mode 100644 index 000000000..f9fcdc245 --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-validatens-goodns01 + labels: + dataprotection: gold +--- +apiVersion: v1 +kind: Namespace +metadata: + name: k10-validatens-goodns02 + labels: + dataprotection: silver +--- +apiVersion: v1 +kind: Namespace +metadata: + name: k10-validatens-goodns03 + labels: + dataprotection: bronze +--- +apiVersion: v1 +kind: Namespace +metadata: + name: k10-validatens-goodns04 + labels: + dataprotection: none \ No newline at end of file diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..440c95426 --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,24 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: k10-validate-ns-by-preset-label-test +policies: +- ../k10-validate-ns-by-preset-label.yaml +resources: +- test-resource.yaml +results: +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-invalid + result: fail + rule: k10-validate-ns-by-preset-label +- kind: Namespace + policy: k10-validate-ns-by-preset-label + resources: + - namespace-gold + - namespace-silver + - namespace-bronze + - namespace-none + result: pass + rule: k10-validate-ns-by-preset-label diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml new file mode 100644 index 000000000..f5dc36f2b --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-gold + labels: + dataprotection: gold +--- +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-silver + labels: + dataprotection: silver +--- +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-bronze + labels: + dataprotection: bronze +--- +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-none + labels: + dataprotection: none +--- +apiVersion: v1 +kind: Namespace +metadata: + name: namespace-invalid \ No newline at end of file diff --git a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml new file mode 100644 index 000000000..974e820f5 --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-validate-ns-by-preset-label +version: 1.0.0 +displayName: Validate Data Protection by Preset Label +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Namespace" +digest: 0c7cc8aa1bf25584958af7ff3fedfa8cae398b7cde007ea73cf0a7653447e454 diff --git a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml new file mode 100644 index 000000000..5cb0e82b1 --- /dev/null +++ b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml @@ -0,0 +1,40 @@ +#NOTE: This example assumes that K10 policy presets named "gold", "silver", and "bronze" have been pre-created and K10 was deployed into the `kasten-io` namespace. +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-validate-ns-by-preset-label + annotations: + policies.kyverno.io/title: Validate Data Protection by Preset Label + policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/subject: Namespace + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Kubernetes applications are typically deployed into a single, logical namespace. + Kasten K10 policies will discover and protect all resources within the selected namespace(s). + This policy ensures all new namespaces include a label referencing a valid K10 SLA + (Policy Preset) for data protection.This policy can be used in combination with generate + ClusterPolicy to automatically create a K10 policy based on the specified SLA. + The combination ensures that new applications are not inadvertently left unprotected. +spec: + validationFailureAction: Audit + rules: + - name: k10-validate-ns-by-preset-label + match: + any: + - resources: + kinds: + - Namespace + validate: + message: >- + Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: + + "gold" - + "silver" - + "bronze" - + "none" - No local snapshots or backups + pattern: + metadata: + labels: + dataprotection: gold|silver|bronze|none \ No newline at end of file From e9958ee43a325ddddc069b96a5c9ebf28ef3c80c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:09:26 +0000 Subject: [PATCH 28/32] convert k10-validate-ns-by-preset-label Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 16 +++++----- .../k10-validate-ns-by-preset-label.yaml | 31 +++++++++---------- 2 files changed, 24 insertions(+), 23 deletions(-) diff --git a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml index 974e820f5..8721e352c 100644 --- a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml +++ b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: k10-validate-ns-by-preset-label +name: k10-validate-ns-by-preset-label-cel version: 1.0.0 -displayName: Validate Data Protection by Preset Label -createdAt: "2023-04-10T20:12:53.000Z" +displayName: Validate Data Protection by Preset Label in CEL expressions description: >- Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml ``` keywords: - kyverno - Kasten K10 by Veeam + - CEL Expressions readme: | Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Kasten K10 by Veeam" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Kasten K10 by Veeam in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: 0c7cc8aa1bf25584958af7ff3fedfa8cae398b7cde007ea73cf0a7653447e454 +digest: 444fc7b76ad91e5905d5d4e84ce7b866037da9613e88213c2a2653b2189db02a +createdAt: "2024-05-12T07:09:08Z" + diff --git a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml index 5cb0e82b1..d9929abae 100644 --- a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml +++ b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml @@ -4,12 +4,12 @@ kind: ClusterPolicy metadata: name: k10-validate-ns-by-preset-label annotations: - policies.kyverno.io/title: Validate Data Protection by Preset Label - policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/title: Validate Data Protection by Preset Label in CEL expressions + policies.kyverno.io/category: Kasten K10 by Veeam in CEL policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.9.0 - policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). @@ -27,14 +27,13 @@ spec: kinds: - Namespace validate: - message: >- - Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: - - "gold" - - "silver" - - "bronze" - - "none" - No local snapshots or backups - pattern: - metadata: - labels: - dataprotection: gold|silver|bronze|none \ No newline at end of file + cel: + expressions: + - expression: "has(object.metadata.labels) && has(object.metadata.labels.dataprotection) && object.metadata.labels.dataprotection in ['gold', 'silver', 'bronze', 'none']" + message: >- + Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: + + "gold" - + "silver" - + "bronze" - + "none" - No local snapshots or backups From 56be4091ef7641543d14eec2df48b0981bf9f526 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:19:35 +0000 Subject: [PATCH 29/32] rename files for clarity Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml | 4 ++-- .../{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 4 ++-- .../{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 4 ++-- .../{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 4 ++-- .../{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml | 4 ++-- .../{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../.chainsaw-test/chainsaw-test.yaml | 4 ++-- .../{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} | 0 .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 24 files changed, 15 insertions(+), 15 deletions(-) rename istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename istio-cel/enforce-strict-mtls/.chainsaw-test/{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} (100%) rename istio-cel/enforce-strict-mtls/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} (100%) rename istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename istio-cel/prevent-disabling-injection-pods/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} (100%) rename istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename kasten-cel/k10-data-protection-by-label/.chainsaw-test/{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} (100%) rename kasten-cel/k10-data-protection-by-label/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename kasten-cel/k10-hourly-rpo/.chainsaw-test/{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} (100%) rename kasten-cel/k10-hourly-rpo/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/{chainsaw-step-01-assert-2.yaml => crd-assert.yaml} (100%) rename kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename kubecost-cel/require-kubecost-labels/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml index 85ad2e8d1..c160abb64 100755 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml +++ b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml similarity index 100% rename from istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml index 42a348d52..e547cafa5 100755 --- a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml +++ b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml @@ -19,9 +19,9 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - assert: - file: chainsaw-step-01-assert-2.yaml + file: crd-assert.yaml - name: step-02 try: - apply: diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml similarity index 100% rename from istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml similarity index 100% rename from istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml index 5e326306f..5ad89b0da 100755 --- a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml +++ b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml @@ -19,9 +19,9 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - assert: - file: chainsaw-step-01-assert-2.yaml + file: crd-assert.yaml - name: step-02 try: - apply: diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/crd-assert.yaml similarity index 100% rename from istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/crd-assert.yaml diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/policy-ready.yaml similarity index 100% rename from istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/policy-ready.yaml diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml index 6c32f0cf8..a1695faa6 100755 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml +++ b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml similarity index 100% rename from istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml index 9f29d00ac..48a4982f8 100755 --- a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml +++ b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml @@ -19,9 +19,9 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - assert: - file: chainsaw-step-01-assert-2.yaml + file: crd-assert.yaml - name: step-02 try: - apply: diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/crd-assert.yaml similarity index 100% rename from istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/crd-assert.yaml diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/policy-ready.yaml similarity index 100% rename from istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/policy-ready.yaml diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml index 107d75e22..81d089924 100755 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml +++ b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml @@ -19,9 +19,9 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - assert: - file: chainsaw-step-01-assert-2.yaml + file: crd-assert.yaml - name: step-02 try: - apply: diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/crd-assert.yaml similarity index 100% rename from kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten-cel/k10-data-protection-by-label/.chainsaw-test/crd-assert.yaml diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml similarity index 100% rename from kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml index 8630e0e9a..e02442dae 100755 --- a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml +++ b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml @@ -19,9 +19,9 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - assert: - file: chainsaw-step-01-assert-2.yaml + file: crd-assert.yaml - name: step-02 try: - apply: diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/crd-assert.yaml similarity index 100% rename from kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten-cel/k10-hourly-rpo/.chainsaw-test/crd-assert.yaml diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml similarity index 100% rename from kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml index 3427db172..8893c6007 100755 --- a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -19,9 +19,9 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - assert: - file: chainsaw-step-01-assert-2.yaml + file: crd-assert.yaml - name: step-02 try: - apply: diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/crd-assert.yaml similarity index 100% rename from kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/crd-assert.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml similarity index 100% rename from kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml index f9c73cfe7..f948a1a98 100755 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml +++ b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml similarity index 100% rename from kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml From 21b9111caf6ad819c727e251b42c8b523002349b Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 12 May 2024 07:25:53 +0000 Subject: [PATCH 30/32] add CI tests for cel directories Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4ff5acb1a..aa38a93d0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -41,9 +41,12 @@ jobs: - ^istio-cel$ - ^karpenter$ - ^kasten$ + - ^kasten-cel$ - ^kubecost$ + - ^kubecost-cel$ - ^kubeops$ - ^kubevirt$ + - ^kubevirt-cel$ - ^linkerd$ - ^nginx-ingress$ - ^openshift$ From 1976723423f78725bc46deee5fbfc12b3538e777 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 26 May 2024 17:13:51 +0000 Subject: [PATCH 31/32] remove cel policies due to issue https://github.com/kyverno/kyverno/issues/10313 Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 1 - .../.chainsaw-test/chainsaw-test.yaml | 33 --------- .../.chainsaw-test/crd-assert.yaml | 13 ---- .../.chainsaw-test/dr-bad.yaml | 21 ------ .../.chainsaw-test/dr-good.yaml | 50 -------------- .../.chainsaw-test/policy-ready.yaml | 6 -- .../.kyverno-test/kyverno-test.yaml | 28 -------- .../artifacthub-pkg.yml | 24 ------- .../enforce-tls-hosts-host-subnets.yaml | 35 ---------- .../.chainsaw-test/bad-vs.yaml | 55 --------------- .../.chainsaw-test/chainsaw-test.yaml | 33 --------- .../.chainsaw-test/crd-assert.yaml | 13 ---- .../.chainsaw-test/good-vs.yaml | 54 --------------- .../.chainsaw-test/policy-ready.yaml | 6 -- .../.kyverno-test/kyverno-test.yaml | 21 ------ .../.kyverno-test/resources.yaml | 54 --------------- .../artifacthub-pkg.yml | 24 ------- .../restrict-virtual-service-wildcard.yaml | 35 ---------- .../.chainsaw-test/chainsaw-test.yaml | 23 ------- .../.chainsaw-test/policy-ready.yaml | 6 -- .../.chainsaw-test/vm-bad.yaml | 37 ---------- .../.chainsaw-test/vm-good.yaml | 30 --------- .../.kyverno-test/kyverno-test.yaml | 21 ------ .../.kyverno-test/resource.yaml | 67 ------------------- .../enforce-instancetype/artifacthub-pkg.yml | 24 ------- .../enforce-instancetype.yaml | 31 --------- 26 files changed, 745 deletions(-) delete mode 100755 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml delete mode 100755 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/crd-assert.yaml delete mode 100644 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml delete mode 100644 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml delete mode 100755 istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/policy-ready.yaml delete mode 100644 istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml delete mode 100644 istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml delete mode 100644 istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml delete mode 100644 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml delete mode 100755 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml delete mode 100755 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/crd-assert.yaml delete mode 100644 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml delete mode 100755 istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/policy-ready.yaml delete mode 100644 istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml delete mode 100644 istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml delete mode 100644 istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml delete mode 100644 istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml delete mode 100755 kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml delete mode 100644 kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml delete mode 100644 kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml delete mode 100644 kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml delete mode 100644 kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml delete mode 100644 kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml delete mode 100644 kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml delete mode 100644 kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index aa38a93d0..a6b0c281f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -46,7 +46,6 @@ jobs: - ^kubecost-cel$ - ^kubeops$ - ^kubevirt$ - - ^kubevirt-cel$ - ^linkerd$ - ^nginx-ingress$ - ^openshift$ diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 5ad89b0da..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-tls-hosts-host-subnets -spec: - steps: - - name: step-01 - try: - - apply: - file: ../enforce-tls-hosts-host-subnets.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-tls-hosts-host-subnets - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: dr-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: dr-bad.yaml diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/crd-assert.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 0e3bbf237..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: destinationrules.networking.istio.io -spec: {} -status: - acceptedNames: - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - singular: destinationrule - storedVersions: - - v1alpha3 diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml deleted file mode 100644 index c81065024..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-bad.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: bad-dr01 -spec: - host: ratings.prod.svc.cluster.local - trafficPolicy: - loadBalancer: - simple: LEAST_REQUEST - tls: - mode: DISABLE ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: bad-dr02 -spec: - host: ratings.prod.svc.cluster.local - trafficPolicy: - tls: - mode: DISABLE \ No newline at end of file diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml deleted file mode 100644 index e664cc11f..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/dr-good.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: good-dr01 -spec: - host: ratings.prod.svc.cluster.local - trafficPolicy: - loadBalancer: - simple: LEAST_REQUEST - tls: - mode: MUTUAL ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: good-dr02 -spec: - host: ratings.prod.svc.cluster.local - trafficPolicy: - tls: - mode: SIMPLE ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: good-dr03 -spec: - host: ratings.prod.svc.cluster.local - trafficPolicy: - loadBalancer: - simple: LEAST_REQUEST - tls: - mode: ISTIO_MUTUAL ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: good-dr04 -spec: - host: ratings.prod.svc.cluster.local ---- -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: good-dr05 -spec: - host: ratings.prod.svc.cluster.local - trafficPolicy: - loadBalancer: - simple: LEAST_REQUEST \ No newline at end of file diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/policy-ready.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index a79bc18f7..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-tls-hosts-host-subnets -status: - ready: true diff --git a/istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml b/istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8b2e1cf9b..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-tls-hosts-host-subnets -policies: -- ../enforce-tls-hosts-host-subnets.yaml -resources: -- ../.chainsaw-test/dr-bad.yaml -- ../.chainsaw-test/dr-good.yaml -results: -- policy: enforce-tls-hosts-host-subnets - rule: destrule - kind: DestinationRule - resources: - - bad-dr01 - - bad-dr02 - result: fail -- policy: enforce-tls-hosts-host-subnets - rule: destrule - kind: DestinationRule - resources: - - good-dr01 - - good-dr02 - - good-dr03 - - good-dr04 - - good-dr05 - result: pass - diff --git a/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml b/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml deleted file mode 100644 index 06286c113..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: enforce-tls-hosts-host-subnets-cel -version: 1.0.0 -displayName: Enforce Istio TLS on Hosts and Host Subnets in CEL expressions -description: >- - Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml - ``` -keywords: - - kyverno - - Istio - - CEL Expressions -readme: | - Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "DestinationRule" -digest: 8959b2a0a57b4a644f5a7fed18d17f3da4e081ab6317a732e1f85b488c65cf18 -createdAt: "2024-05-12T04:44:32Z" - diff --git a/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml b/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml deleted file mode 100644 index 367a9efc0..000000000 --- a/istio-cel/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-tls-hosts-host-subnets - annotations: - policies.kyverno.io/title: Enforce Istio TLS on Hosts and Host Subnets in CEL expressions - policies.kyverno.io/category: Istio in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: DestinationRule - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Once a routing decision has been made, a DestinationRule can be used to define how traffic - should be sent to another service. The trafficPolicy object can control how TLS is handled - to the destination host. This policy enforces that the TLS mode cannot be set to a value - of `DISABLE`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: destrule - match: - any: - - resources: - kinds: - - DestinationRule - validate: - cel: - expressions: - - expression: >- - !has(object.spec) || !has(object.spec.trafficPolicy) || !has(object.spec.trafficPolicy.tls) || - !has(object.spec.trafficPolicy.tls.mode) || object.spec.trafficPolicy.tls.mode != 'DISABLE' - message: "TLS may not be disabled for the trafficPolicy in any host." - diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml deleted file mode 100644 index 9801173e7..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/bad-vs.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: badvs01 -spec: - hosts: - - "*.com" - - "foo.com" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: badvs02 -spec: - hosts: - - "bar.com" - - "*.*" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 48a4982f8..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-virtual-service-wildcard -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-virtual-service-wildcard.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-virtual-service-wildcard - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: good-vs.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-vs.yaml diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/crd-assert.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 5380004fb..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: virtualservices.networking.istio.io -spec: {} -status: - acceptedNames: - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - singular: virtualservice - storedVersions: - - v1alpha3 diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml deleted file mode 100644 index 41e1586be..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/good-vs.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: goodvs01 -spec: - hosts: - - "foo.com" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: goodvs02 -spec: - hosts: - - "foo.com" - - "bar.foo" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 diff --git a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/policy-ready.yaml b/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index e823cc767..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-virtual-service-wildcard -status: - ready: true diff --git a/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml b/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 1bd8ac6a8..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-virtual-service-wildcard -policies: -- ../restrict-virtual-service-wildcard.yaml -resources: -- resources.yaml -results: -- kind: VirtualService - policy: restrict-virtual-service-wildcard - resources: - - badvs - result: fail - rule: block-virtual-service-wildcard -- kind: VirtualService - policy: restrict-virtual-service-wildcard - resources: - - goodvs - result: pass - rule: block-virtual-service-wildcard diff --git a/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml b/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml deleted file mode 100644 index 0263be03d..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/.kyverno-test/resources.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: badvs -spec: - hosts: - - "*.com" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 ---- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: goodvs -spec: - hosts: - - "foo.com" - gateways: - - bookinfo-gateway - http: - - match: - - uri: - exact: /productpage - - uri: - prefix: /static - - uri: - exact: /login - - uri: - exact: /logout - - uri: - prefix: /api/v1/products - route: - - destination: - host: productpage - port: - number: 9080 diff --git a/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml b/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml deleted file mode 100644 index d1e334661..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-virtual-service-wildcard-cel -version: 1.0.0 -displayName: Restrict Virtual Service Host with Wildcards in CEL expressions -description: >- - Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml - ``` -keywords: - - kyverno - - Istio - - CEL Expressions -readme: | - Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "VirtualService" -digest: 326d2e299d4424ae5c33c8675970060c0d7ba2f1ba00985c54c61d6c42909554 -createdAt: "2024-05-12T04:53:55Z" - diff --git a/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml b/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml deleted file mode 100644 index 59a63f82a..000000000 --- a/istio-cel/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-virtual-service-wildcard - annotations: - policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards in CEL expressions - policies.kyverno.io/category: Istio in CEL expressions - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: VirtualService - policies.kyverno.io/description: >- - Virtual Services optionally accept a wildcard as an alternative - to precise matching. In some cases, this may be too permissive as it - would direct unintended traffic to the given resource. This - policy enforces that any Virtual Service host does not contain a wildcard - character and allows for more governance when a single mesh deployment - model is used. -spec: - validationFailureAction: Audit - background: true - rules: - - name: block-virtual-service-wildcard - match: - any: - - resources: - kinds: - - VirtualService - validate: - cel: - expressions: - - expression: "!has(object.spec.hosts) || !object.spec.hosts.exists(host, host.contains('*'))" - message: "Wildcards are not permitted as hosts." - diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index b4c655980..000000000 --- a/kubevirt-cel/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-instancetype -spec: - steps: - - name: step-01 - try: - - apply: - file: ../enforce-instancetype.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: vm-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: vm-bad.yaml diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 575119eb7..000000000 --- a/kubevirt-cel/enforce-instancetype/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k6t-enforce-instancetype -status: - ready: true \ No newline at end of file diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml deleted file mode 100644 index 78917c4a9..000000000 --- a/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-bad.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - labels: - kubevirt.io/vm: vm-cirros - name: vm-invalid -spec: - running: false - template: - metadata: - labels: - kubevirt.io/vm: vm-cirros - spec: - domain: - devices: - disks: - - disk: - bus: virtio - name: containerdisk - - disk: - bus: virtio - name: cloudinitdisk - resources: - requests: - memory: 128Mi - terminationGracePeriodSeconds: 0 - volumes: - - containerDisk: - image: busybox:1.35 - name: containerdisk - - cloudInitNoCloud: - userData: | - #!/bin/sh - - echo 'printed from cloud-init userdata' - name: cloudinitdisk - diff --git a/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml b/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml deleted file mode 100644 index 788d6f3fb..000000000 --- a/kubevirt-cel/enforce-instancetype/.chainsaw-test/vm-good.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - labels: - kubevirt.io/vm: vm-cirros - name: vm-valid -spec: - running: false - instancetype: - name: c1.small - preference: - name: linux - template: - metadata: - labels: - kubevirt.io/vm: vm-cirros - spec: - domain: - devices: {} - terminationGracePeriodSeconds: 0 - volumes: - - containerDisk: - image: busybox:1.35 - name: containerdisk - - cloudInitNoCloud: - userData: | - #!/bin/sh - - echo 'printed from cloud-init userdata' - name: cloudinitdisk \ No newline at end of file diff --git a/kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml b/kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 921505525..000000000 --- a/kubevirt-cel/enforce-instancetype/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-instancetype -policies: -- ../enforce-instancetype.yaml -resources: -- resource.yaml -results: -- kind: VirtualMachine - policy: k6t-enforce-instancetype - resources: - - vm-invalid - result: fail - rule: k6t-ensure-instance-type-and-preference -- kind: VirtualMachine - policy: k6t-enforce-instancetype - resources: - - vm-valid - result: pass - rule: k6t-ensure-instance-type-and-preference diff --git a/kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml b/kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml deleted file mode 100644 index d9ed1f492..000000000 --- a/kubevirt-cel/enforce-instancetype/.kyverno-test/resource.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - labels: - kubevirt.io/vm: vm-cirros - name: vm-valid -spec: - running: false - instancetype: - name: c1.small - preference: - name: linux - template: - metadata: - labels: - kubevirt.io/vm: vm-cirros - spec: - terminationGracePeriodSeconds: 0 - volumes: - - containerDisk: - image: registry:5000/kubevirt/cirros-container-disk-demo:devel - name: containerdisk - - cloudInitNoCloud: - userData: | - #!/bin/sh - - echo 'printed from cloud-init userdata' - name: cloudinitdisk ---- -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - labels: - kubevirt.io/vm: vm-cirros - name: vm-invalid -spec: - running: false - template: - metadata: - labels: - kubevirt.io/vm: vm-cirros - spec: - domain: - devices: - disks: - - disk: - bus: virtio - name: containerdisk - - disk: - bus: virtio - name: cloudinitdisk - resources: - requests: - memory: 128Mi - terminationGracePeriodSeconds: 0 - volumes: - - containerDisk: - image: registry:5000/kubevirt/cirros-container-disk-demo:devel - name: containerdisk - - cloudInitNoCloud: - userData: | - #!/bin/sh - - echo 'printed from cloud-init userdata' - name: cloudinitdisk - diff --git a/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml b/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml deleted file mode 100644 index 1fe9e2669..000000000 --- a/kubevirt-cel/enforce-instancetype/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: enforce-instancetype-cel -version: 1.1.0 -displayName: Enforce instanceTypes in CEL expressions -description: >- - Check VirtualMachines and validate that they are using an instance type and preference. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml - ``` -keywords: - - kyverno - - KubeVirt - - CEL Expressions -readme: | - Check VirtualMachines and validate that they are using an instance type and preference. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "KubeVirt" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "VirtualMachine" -digest: 2d68967a43096d0649d0485e8f2281ab06c9721ce64ea31bcd278ef67ab6bbbe -createdAt: "2024-05-12T07:03:27Z" - diff --git a/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml b/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml deleted file mode 100644 index c79ae9022..000000000 --- a/kubevirt-cel/enforce-instancetype/enforce-instancetype.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k6t-enforce-instancetype - annotations: - policies.kyverno.io/title: Enforce instanceTypes in CEL expressions - policies.kyverno.io/category: KubeVirt in CEL - policies.kyverno.io/subject: VirtualMachine - policies.kyverno.io/description: >- - Check VirtualMachines and validate that they are using an instance type and preference. - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" -spec: - validationFailureAction: Enforce - rules: - - name: k6t-ensure-instance-type-and-preference - match: - any: - - resources: - kinds: - - VirtualMachine - validate: - cel: - expressions: - - expression: >- - has(object.spec.instancetype) && - has(object.spec.instancetype.name) && object.spec.instancetype.name != '' && - has(object.spec.preference) && - has(object.spec.preference.name) && object.spec.preference.name != '' - message: "VirtualMachines must use instance types and preferences" - From 5ca158154d14b5da5666f1d0d3dc2ff63955ce36 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Tue, 9 Jul 2024 15:26:57 +0000 Subject: [PATCH 32/32] add CREATE and UPDATE operations explicitly Signed-off-by: Chandan-DK --- .../enforce-sidecar-injection-namespace/artifacthub-pkg.yml | 2 +- .../enforce-sidecar-injection-namespace.yaml | 2 ++ istio-cel/enforce-strict-mtls/artifacthub-pkg.yml | 2 +- istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml | 3 +++ istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml | 2 +- .../prevent-disabling-injection-pods.yaml | 3 +++ kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml | 2 +- .../k10-data-protection-by-label.yaml | 3 +++ kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml | 2 +- kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml | 3 +++ kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml | 2 +- .../k10-validate-ns-by-preset-label.yaml | 3 +++ kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml | 2 +- .../require-kubecost-labels/require-kubecost-labels.yaml | 3 +++ 14 files changed, 27 insertions(+), 7 deletions(-) diff --git a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml index f6a2902b1..177e3d150 100644 --- a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml +++ b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Istio in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: 3083420cd7860eadc12dd313a90d20264d211e2bf3c9ade3a74cd9454d88afa9 +digest: 123feb2a8d1b2743e33b1f91ddf7291c47eedcf2c24ae537a1d3afe6c503338d createdAt: "2024-05-12T04:38:32Z" diff --git a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml index 930f284cd..5a2c91d80 100644 --- a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml +++ b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml @@ -24,6 +24,8 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE validate: cel: expressions: diff --git a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml index c7026d3d6..e760f1c9e 100644 --- a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml +++ b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Istio in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PeerAuthentication" -digest: 26293d242662d9575b51d80c63d8fe3add2a3cd1ce0c4e8f38aae602d8eb7e1a +digest: 6bf5af52d9187ac5b1b90879ab3975ea618b38d04928ceecd4779fc2b2e4b26a createdAt: "2024-05-12T04:41:47Z" diff --git a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml index 057b6e2bc..33747bbfd 100644 --- a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml +++ b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml @@ -27,6 +27,9 @@ spec: - resources: kinds: - PeerAuthentication + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml index 6ce64fdb1..36ec09a25 100644 --- a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml +++ b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Istio in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: de257d6553747a35236deb1835a79bed01fb6bfc331156158c6b98d3016c0699 +digest: 5de03c078273ce913a6ebf9064a85be4255b82e36f74bda822984e261363fe8b createdAt: "2024-05-12T04:48:58Z" diff --git a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml index 6461c02e9..6662e5151 100644 --- a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml +++ b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml @@ -25,6 +25,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml index 008b570cb..2ca7fa978 100644 --- a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml +++ b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kasten K10 by Veeam in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Deployment, StatefulSet" -digest: 4df1046ee3ba0839eb9598f6fff8f70ff2ae8567b83c285e01861eb5e40bc69d +digest: e3a088a52aac74e16f9b2776df78891344edd6dc03ee6456dc71d71c34519325 createdAt: "2024-05-12T07:05:48Z" diff --git a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml index 5380dda59..58270490c 100644 --- a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml +++ b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml @@ -22,6 +22,9 @@ spec: kinds: - Deployment - StatefulSet + operations: + - CREATE + - UPDATE selector: matchLabels: purpose: production diff --git a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml index 690cab2b7..bffb28b92 100644 --- a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml +++ b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kasten K10 by Veeam in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Policy" -digest: 1d7655c85db2e02fd3497596f1a333759a0c5baec9fc7b0efdb867ba89a673f3 +digest: 4c95862e422636b4900103e9620ed8e41d4cafd86984a1d22e81f35767bb0eef createdAt: "2024-05-12T07:07:31Z" diff --git a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml index a73f18786..d5f62904f 100644 --- a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml +++ b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml @@ -21,6 +21,9 @@ spec: - resources: kinds: - config.kio.kasten.io/v1alpha1/Policy + operations: + - CREATE + - UPDATE selector: matchLabels: appPriority: Mission-Critical diff --git a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml index 8721e352c..c1ec63ef0 100644 --- a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml +++ b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kasten K10 by Veeam in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Namespace" -digest: 444fc7b76ad91e5905d5d4e84ce7b866037da9613e88213c2a2653b2189db02a +digest: e58ab4c2018542a6acd5e97446b09cf04cec26425b9a29f0207c518310c449f3 createdAt: "2024-05-12T07:09:08Z" diff --git a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml index d9929abae..4668e742a 100644 --- a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml +++ b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml @@ -26,6 +26,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml index 1ea848ea9..bfae83d11 100644 --- a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml +++ b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Kubecost in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Label" -digest: d925264dc13ebe9a81c253fceb6ad1b6ded6888d6c59126006523dc1c97825f9 +digest: e7dc12ab8d4fa467c23bc117db5c9e33e5e0d804c597ee0d88fb9f55f11ab535 createdAt: "2024-05-12T06:59:59Z" diff --git a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml index e7e35ba05..32ca0dccb 100644 --- a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml +++ b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml @@ -26,6 +26,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: cel: expressions: