From 232d17e61f694ced30d1f8bb469c2bd49397f732 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 09:57:22 +0000 Subject: [PATCH 01/16] add CI test for directories starting with m to q in other-cel folder Signed-off-by: Chandan-DK --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 969021712..d70388784 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -53,6 +53,7 @@ jobs: - ^other$/^re[c-q] - ^other$/^res - ^other$/^[s-z] + - ^other-cel$/^[m-q] - ^pod-security$ - ^pod-security-cel$ - ^psa$ From 82008286f52aa7b363dab50ddcd6430dca994de9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 09:58:16 +0000 Subject: [PATCH 02/16] copy metadata-match-regex Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++++++++++++++ .../.chainsaw-test/pod-bad.yaml | 41 +++++++++++++++++++ .../.chainsaw-test/pod-good.yaml | 21 ++++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 39 ++++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 39 ++++++++++++++++++ .../metadata-match-regex/artifacthub-pkg.yml | 21 ++++++++++ .../metadata-match-regex.yaml | 33 +++++++++++++++ 8 files changed, 238 insertions(+) create mode 100755 other-cel/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/metadata-match-regex/artifacthub-pkg.yml create mode 100644 other-cel/metadata-match-regex/metadata-match-regex.yaml diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..440d4828f --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: metadata-match-regex +status: + ready: true diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5330a983e --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: metadata-match-regex +spec: + steps: + - name: step-01 + try: + - apply: + file: ../metadata-match-regex.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: metadata-match-regex + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..50accd487 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: v1.1 + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: "0.0.1" + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: "v1.22.1" + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..1247325fc --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: v0.1.9 + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + corp.org/version: v0.0.1 + name: goodpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..495f99078 --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + corp.org/version: "v0.12.9" + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + corp.org/version: "v1.13" + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..ad399aa8b --- /dev/null +++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + corp.org/version: "v0.1.9" + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + corp.org/version: "v0.1.9" + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/metadata-match-regex/artifacthub-pkg.yml b/other-cel/metadata-match-regex/artifacthub-pkg.yml new file mode 100644 index 000000000..56a6a64b6 --- /dev/null +++ b/other-cel/metadata-match-regex/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: metadata-match-regex +version: 1.0.0 +displayName: Metadata Matches Regex +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/metadata-match-regex/metadata-match-regex.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/subject: "Pod, Label" +digest: 229910cb3f12ff2146bd1f463d21dc6397757da1485dad3e00c71cd815752c52 diff --git a/other-cel/metadata-match-regex/metadata-match-regex.yaml b/other-cel/metadata-match-regex/metadata-match-regex.yaml new file mode 100644 index 000000000..57194d227 --- /dev/null +++ b/other-cel/metadata-match-regex/metadata-match-regex.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: metadata-match-regex + annotations: + policies.kyverno.io/title: Metadata Matches Regex + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Label + policies.kyverno.io/description: >- + Rather than a simple check to see if given metadata such as labels and annotations are present, + in some cases they need to be present and the values match a specified regular expression. This + policy illustrates how to ensure a label with key `corp.org/version` is both present and matches + a given regex, in this case ensuring semver is met. +spec: + validationFailureAction: audit + background: false + rules: + - name: check-for-regex + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ + deny: + conditions: + all: + - key: "{{ regex_match('^v[0-9].[0-9].[0-9]$','{{request.object.metadata.labels.\"corp.org/version\" || 'empty'}}') }}" + operator: Equals + value: false From 5581efca6cec52596edf8121f1ff7ae6067627c0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:16:55 +0000 Subject: [PATCH 03/16] convert metadata-match-regex to cel Signed-off-by: Chandan-DK --- .../metadata-match-regex/artifacthub-pkg.yml | 15 +++++++----- .../metadata-match-regex.yaml | 24 ++++++++++--------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/other-cel/metadata-match-regex/artifacthub-pkg.yml b/other-cel/metadata-match-regex/artifacthub-pkg.yml index 56a6a64b6..c4c2212d4 100644 --- a/other-cel/metadata-match-regex/artifacthub-pkg.yml +++ b/other-cel/metadata-match-regex/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: metadata-match-regex +name: metadata-match-regex-cel version: 1.0.0 -displayName: Metadata Matches Regex -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Metadata Matches Regex in CEL expressions description: >- Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/metadata-match-regex/metadata-match-regex.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/metadata-match-regex/metadata-match-regex.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod, Label" -digest: 229910cb3f12ff2146bd1f463d21dc6397757da1485dad3e00c71cd815752c52 +digest: 4f6e2a07df41b3ce83af7ce25a6cdb7bae14f336edfd178bb52b25183f6c580d +createdAt: "2024-04-07T10:16:14Z" + diff --git a/other-cel/metadata-match-regex/metadata-match-regex.yaml b/other-cel/metadata-match-regex/metadata-match-regex.yaml index 57194d227..be0c59c02 100644 --- a/other-cel/metadata-match-regex/metadata-match-regex.yaml +++ b/other-cel/metadata-match-regex/metadata-match-regex.yaml @@ -3,17 +3,19 @@ kind: ClusterPolicy metadata: name: metadata-match-regex annotations: - policies.kyverno.io/title: Metadata Matches Regex - policies.kyverno.io/category: Other + policies.kyverno.io/title: Metadata Matches Regex in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Label + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: check-for-regex @@ -23,11 +25,11 @@ spec: kinds: - Pod validate: - message: >- - The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ - deny: - conditions: - all: - - key: "{{ regex_match('^v[0-9].[0-9].[0-9]$','{{request.object.metadata.labels.\"corp.org/version\" || 'empty'}}') }}" - operator: Equals - value: false + cel: + expressions: + - expression: >- + has(object.metadata.labels) && 'corp.org/version' in object.metadata.labels && + object.metadata.labels['corp.org/version'].matches('^v[0-9].[0-9].[0-9]$') + message: >- + The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ + From 18053f0bc0f560947777f5a257a1087555f17ded Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:17:33 +0000 Subject: [PATCH 04/16] add kyverno tests for metadata-match-regex Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 53 +++++++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 46 ++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml create mode 100644 other/metadata-match-regex/.kyverno-test/kyverno-test.yaml diff --git a/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml b/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c7259a539 --- /dev/null +++ b/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,53 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: metadata-match-regex +policies: +- ../metadata-match-regex.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +- ../.chainsaw-test/podcontroller-bad.yaml +- ../.chainsaw-test/podcontroller-good.yaml +results: +- policy: metadata-match-regex + rule: check-for-regex + kind: Pod + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - baddeployment01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - badcronjob01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Pod + resources: + - goodpod01 + - goodpod02 + result: pass +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - gooddeployment01 + result: pass +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - goodcronjob01 + result: pass + diff --git a/other/metadata-match-regex/.kyverno-test/kyverno-test.yaml b/other/metadata-match-regex/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..9e2f2c1f8 --- /dev/null +++ b/other/metadata-match-regex/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,46 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: metadata-match-regex +policies: +- ../metadata-match-regex.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +- ../.chainsaw-test/podcontroller-bad.yaml +- ../.chainsaw-test/podcontroller-good.yaml +results: +- policy: metadata-match-regex + rule: check-for-regex + kind: Pod + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - baddeployment01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - badcronjob01 + result: fail +- policy: metadata-match-regex + rule: check-for-regex + kind: Deployment + resources: + - gooddeployment01 + result: pass +- policy: metadata-match-regex + rule: check-for-regex + kind: CronJob + resources: + - goodcronjob01 + result: pass + From 1c8e70ba34587ccaf5cbe8e5f5df313331903dc0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:43:30 +0000 Subject: [PATCH 05/16] copy pdb-maxunavailable Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 31 ++++++++++++++ .../.chainsaw-test/pdb-bad.yaml | 6 +++ .../.chainsaw-test/pdb-good.yaml | 13 ++++++ .../.kyverno-test/kyverno-test.yaml | 23 ++++++++++ .../.kyverno-test/resource.yaml | 42 +++++++++++++++++++ .../pdb-maxunavailable/artifacthub-pkg.yml | 22 ++++++++++ .../pdb-maxunavailable.yaml | 30 +++++++++++++ 8 files changed, 173 insertions(+) create mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml create mode 100644 other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml create mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml create mode 100644 other-cel/pdb-maxunavailable/artifacthub-pkg.yml create mode 100644 other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..5cdc2b1cc --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pdb-maxunavailable +status: + ready: true diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..506f80b2e --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pdb-maxunavailable +spec: + steps: + - name: step-01 + try: + - apply: + file: ../pdb-maxunavailable.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: pdb-maxunavailable + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pdb-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pdb-bad.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml new file mode 100644 index 000000000..3856659ef --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml @@ -0,0 +1,6 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: badpdb01 +spec: + maxUnavailable: 0 \ No newline at end of file diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml new file mode 100644 index 000000000..44d7a816c --- /dev/null +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml @@ -0,0 +1,13 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: goodpdb01 +spec: + minAvailable: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: goodpdb02 +spec: + maxUnavailable: 1 \ No newline at end of file diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..de54dcca9 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pdb-maxunavailable +policies: +- ../pdb-maxunavailable.yaml +resources: +- resource.yaml +results: +- kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - kube-system/bad-pdb-zero + - kube-system/bad-pdb-negative-one + result: fail + rule: pdb-maxunavailable +- kind: PodDisruptionBudget + policy: pdb-maxunavailable + resources: + - kube-system/good-pdb + - kube-system/good-pdb-none + result: pass + rule: pdb-maxunavailable diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml new file mode 100644 index 000000000..8b4f7cbf0 --- /dev/null +++ b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml @@ -0,0 +1,42 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: good-pdb + namespace: kube-system +spec: + maxUnavailable: 2 + selector: + matchLabels: + app: good +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: good-pdb-none + namespace: kube-system +spec: + selector: + matchLabels: + app: good +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: bad-pdb-zero + namespace: kube-system +spec: + maxUnavailable: 0 + selector: + matchLabels: + app: bad +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: bad-pdb-negative-one + namespace: kube-system +spec: + maxUnavailable: -1 + selector: + matchLabels: + app: bad diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml new file mode 100644 index 000000000..6c0ffacd2 --- /dev/null +++ b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: pdb-maxunavailable +version: 1.0.0 +displayName: PodDisruptionBudget maxUnavailable Non-Zero +createdAt: "2023-04-10T20:30:05.000Z" +description: >- + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/pdb-maxunavailable/pdb-maxunavailable.yaml + ``` +keywords: + - kyverno + - Other +readme: | + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "PodDisruptionBudget" +digest: d7acf0213b5530e922ca29674342a359b09e0b34afded7c321363e4c6f45a84c diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml new file mode 100644 index 000000000..b26a8c354 --- /dev/null +++ b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pdb-maxunavailable + annotations: + policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero + policies.kyverno.io/category: Other + kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: PodDisruptionBudget + policies.kyverno.io/description: >- + A PodDisruptionBudget which sets its maxUnavailable value to zero prevents + all voluntary evictions including Node drains which may impact maintenance tasks. + This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field + it must be greater than zero. +spec: + validationFailureAction: audit + background: false + rules: + - name: pdb-maxunavailable + match: + any: + - resources: + kinds: + - PodDisruptionBudget + validate: + message: "The value of maxUnavailable must be greater than zero." + pattern: + spec: + =(maxUnavailable): ">0" \ No newline at end of file From c54d525e8b6e1398535970a0d655bf0740209590 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:45:31 +0000 Subject: [PATCH 06/16] convert pdb-maxunavailable to cel Signed-off-by: Chandan-DK --- .../pdb-maxunavailable/artifacthub-pkg.yml | 16 +++++++++------- .../pdb-maxunavailable.yaml | 19 ++++++++++--------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml index 6c0ffacd2..efc26a695 100644 --- a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml +++ b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: pdb-maxunavailable +name: pdb-maxunavailable-cel version: 1.0.0 -displayName: PodDisruptionBudget maxUnavailable Non-Zero -createdAt: "2023-04-10T20:30:05.000Z" +displayName: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions description: >- A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/pdb-maxunavailable/pdb-maxunavailable.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.24" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "PodDisruptionBudget" -digest: d7acf0213b5530e922ca29674342a359b09e0b34afded7c321363e4c6f45a84c +digest: 7dff4f3801bce1ca8835c5ebcadaa78e1fa41480a19958eb78aee5bbfcd6b8bf +createdAt: "2024-04-07T10:22:03Z" + diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml index b26a8c354..4c2da59ae 100644 --- a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml +++ b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -3,10 +3,10 @@ kind: ClusterPolicy metadata: name: pdb-maxunavailable annotations: - policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero - policies.kyverno.io/category: Other - kyverno.io/kyverno-version: 1.9.0 - kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions + policies.kyverno.io/category: Other in CEL + kyverno.io/kyverno-version: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: PodDisruptionBudget policies.kyverno.io/description: >- A PodDisruptionBudget which sets its maxUnavailable value to zero prevents @@ -14,7 +14,7 @@ metadata: This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: pdb-maxunavailable @@ -24,7 +24,8 @@ spec: kinds: - PodDisruptionBudget validate: - message: "The value of maxUnavailable must be greater than zero." - pattern: - spec: - =(maxUnavailable): ">0" \ No newline at end of file + cel: + expressions: + - expression: "!has(object.spec.maxUnavailable) || int(object.spec.maxUnavailable) > 0" + message: "The value of maxUnavailable must be greater than zero." + From 0dfea19dddffefc0b43b890e06e295da9efa9afb Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:46:19 +0000 Subject: [PATCH 07/16] copy prevent-bare-pods Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 46 +++++++++++++++++++ .../.chainsaw-test/deployment.yaml | 22 +++++++++ .../prevent-bare-pods/.chainsaw-test/ns.yaml | 4 ++ .../.chainsaw-test/pod-bad.yaml | 8 ++++ .../.chainsaw-test/pod-good.yaml | 13 ++++++ .../prevent-bare-pods/artifacthub-pkg.yml | 23 ++++++++++ .../prevent-bare-pods/prevent-bare-pods.yaml | 41 +++++++++++++++++ 8 files changed, 163 insertions(+) create mode 100755 other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/prevent-bare-pods/artifacthub-pkg.yml create mode 100644 other-cel/prevent-bare-pods/prevent-bare-pods.yaml diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..34cc2d581 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-bare-pods +status: + ready: true diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..00047a5d0 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,46 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-naked-pods +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../prevent-bare-pods.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: prevent-bare-pods + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: deployment.yaml + - name: step-03 + try: + - sleep: + duration: 5s + - script: + content: | + if [ $(kubectl get pods -n prevent-naked-pods-ns | grep gooddeployment01 | wc -l) -gt 0 ]; then exit 0; else exit 1; fi + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n prevent-naked-pods-ns diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml new file mode 100644 index 000000000..8ddcca3cc --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: prevent-naked-pods-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "30"] \ No newline at end of file diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..1854a97d2 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prevent-naked-pods-ns \ No newline at end of file diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..be458efe5 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..649c25ce4 --- /dev/null +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: gooddeployment01 + uid: "foo-bar" + name: godpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/prevent-bare-pods/artifacthub-pkg.yml b/other-cel/prevent-bare-pods/artifacthub-pkg.yml new file mode 100644 index 000000000..8eb457c4c --- /dev/null +++ b/other-cel/prevent-bare-pods/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: prevent-bare-pods +version: 1.0.0 +displayName: Prevent bare Pods +createdAt: "2023-04-10T20:30:05.000Z" +description: >- + Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-bare-pods/prevent-bare-pods.yaml + ``` +keywords: + - kyverno + - Other + - EKS Best Practices +readme: | + Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other, EKS Best Practices" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 3dcbd8d5c7a049035f8eb9c927348db667a6a5fd11a1ddd80e36b0588c6152ea diff --git a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml new file mode 100644 index 000000000..ec9c7d4a3 --- /dev/null +++ b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-bare-pods + annotations: + policies.kyverno.io/title: Prevent Bare Pods + pod-policies.kyverno.io/autogen-controllers: none + policies.kyverno.io/category: Other, EKS Best Practices + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.7.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods not created by workload controllers such as Deployments + have no self-healing or scaling abilities and are unsuitable for production. + This policy prevents such "bare" Pods from being created unless they originate + from a higher-level workload controller of some sort. +spec: + validationFailureAction: audit + background: true + rules: + - name: bare-pods + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: NotEquals + value: DELETE + validate: + message: "Bare Pods are not allowed. They must be created by Pod controllers." + deny: + conditions: + any: + - key: ownerReferences + operator: AnyNotIn + value: "{{request.object.metadata.keys(@)}}" \ No newline at end of file From 3a2f9d7a686ed68a0d880738ff49e2124c78e463 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:48:18 +0000 Subject: [PATCH 08/16] convert prevent-bare-pods to cel Signed-off-by: Chandan-DK --- .../prevent-bare-pods/artifacthub-pkg.yml | 16 ++++++----- .../prevent-bare-pods/prevent-bare-pods.yaml | 28 +++++++------------ 2 files changed, 19 insertions(+), 25 deletions(-) diff --git a/other-cel/prevent-bare-pods/artifacthub-pkg.yml b/other-cel/prevent-bare-pods/artifacthub-pkg.yml index 8eb457c4c..a100c0e51 100644 --- a/other-cel/prevent-bare-pods/artifacthub-pkg.yml +++ b/other-cel/prevent-bare-pods/artifacthub-pkg.yml @@ -1,23 +1,25 @@ -name: prevent-bare-pods +name: prevent-bare-pods-cel version: 1.0.0 -displayName: Prevent bare Pods -createdAt: "2023-04-10T20:30:05.000Z" +displayName: Prevent bare Pods in CEL expressions description: >- Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-bare-pods/prevent-bare-pods.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/prevent-bare-pods/prevent-bare-pods.yaml ``` keywords: - kyverno - Other - EKS Best Practices + - CEL Expressions readme: | Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other, EKS Best Practices" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other, EKS Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 3dcbd8d5c7a049035f8eb9c927348db667a6a5fd11a1ddd80e36b0588c6152ea +digest: 448ef8432853ff17687409fd813fcc5e1be8146a20eb5860bd2f56766d2c717f +createdAt: "2024-04-07T10:47:32Z" + diff --git a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml index ec9c7d4a3..dd31e36fb 100644 --- a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml +++ b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml @@ -3,13 +3,13 @@ kind: ClusterPolicy metadata: name: prevent-bare-pods annotations: - policies.kyverno.io/title: Prevent Bare Pods + policies.kyverno.io/title: Prevent Bare Pods in CEL expressions pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/category: Other, EKS Best Practices + policies.kyverno.io/category: Other, EKS Best Practices in CEL policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.7.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Pods not created by workload controllers such as Deployments @@ -17,7 +17,7 @@ metadata: This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: bare-pods @@ -26,16 +26,8 @@ spec: - resources: kinds: - Pod - preconditions: - all: - - key: "{{request.operation || 'BACKGROUND'}}" - operator: NotEquals - value: DELETE validate: - message: "Bare Pods are not allowed. They must be created by Pod controllers." - deny: - conditions: - any: - - key: ownerReferences - operator: AnyNotIn - value: "{{request.object.metadata.keys(@)}}" \ No newline at end of file + cel: + expressions: + - expression: "'ownerReferences' in object.metadata" + message: "Bare Pods are not allowed. They must be created by Pod controllers." From c5f16b9a6e523aa5425e7cd7756bc6ed589effc9 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:52:14 +0000 Subject: [PATCH 09/16] add kyverno tests for prevent-bare-pods Signed-off-by: Chandan-DK --- .../.chainsaw-test/pod-good.yaml | 2 +- .../.kyverno-test/kyverno-test.yaml | 23 +++++++++++++++++++ .../.chainsaw-test/pod-good.yaml | 2 +- .../.kyverno-test/kyverno-test.yaml | 23 +++++++++++++++++++ 4 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml create mode 100644 other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml index 649c25ce4..f7e01fe38 100644 --- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: kind: Deployment name: gooddeployment01 uid: "foo-bar" - name: godpod01 + name: goodpod01 spec: containers: - name: busybox diff --git a/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1a43a336b --- /dev/null +++ b/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-bare-pods +policies: +- ../prevent-bare-pods.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +results: +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - badpod01 + result: fail +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - goodpod01 + result: pass + diff --git a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml index 649c25ce4..f7e01fe38 100644 --- a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: kind: Deployment name: gooddeployment01 uid: "foo-bar" - name: godpod01 + name: goodpod01 spec: containers: - name: busybox diff --git a/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml b/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1a43a336b --- /dev/null +++ b/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-bare-pods +policies: +- ../prevent-bare-pods.yaml +resources: +- ../.chainsaw-test/pod-bad.yaml +- ../.chainsaw-test/pod-good.yaml +results: +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - badpod01 + result: fail +- policy: prevent-bare-pods + rule: bare-pods + kind: Pod + resources: + - goodpod01 + result: pass + From 52737e94417fa1d2c80978433ecbd6f5a0af73ab Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 10:59:37 +0000 Subject: [PATCH 10/16] copy memory-requests-equal-limits Signed-off-by: Chandan-DK --- .../chainsaw-step-01-assert-1.yaml | 6 ++ .../.chainsaw-test/chainsaw-test.yaml | 38 ++++++++++ .../.chainsaw-test/pod-bad.yaml | 76 +++++++++++++++++++ .../.chainsaw-test/pod-good.yaml | 45 +++++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 59 ++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 63 +++++++++++++++ .../.kyverno-test/kyverno-test.yaml | 27 +++++++ .../.kyverno-test/resource.yaml | 73 ++++++++++++++++++ .../artifacthub-pkg.yml | 21 +++++ .../memory-requests-equal-limits.yaml | 32 ++++++++ 10 files changed, 440 insertions(+) create mode 100755 other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml create mode 100644 other-cel/memory-requests-equal-limits/artifacthub-pkg.yml create mode 100644 other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..b380064bd --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: memory-requests-equal-limits +status: + ready: true diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..8fbe8f5e1 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: memory-requests-equal-limits +spec: + steps: + - name: step-01 + try: + - apply: + file: ../memory-requests-equal-limits.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: memory-requests-equal-limits + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..ceb85fe42 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "200Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "10Mi" + limits: + memory: "140Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "120Mi" + limits: + memory: "120Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "200Mi" + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" \ No newline at end of file diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..ca209878d --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod00 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + - name: busybox02 + image: busybox:1.35 + - name: busybox03 + image: busybox:1.35 + resources: + requests: + memory: "50Mi" + limits: + memory: "50Mi" \ No newline at end of file diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..7c1a62010 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "10Mi" + limits: + memory: "140Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "10Mi" + limits: + memory: "140Mi" + - name: busybox02 + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "150Mi" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..1a18a0717 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + - name: busybox02 + image: busybox:1.35 + - name: busybox03 + image: busybox:1.35 + resources: + requests: + memory: "50Mi" + limits: + memory: "50Mi" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + resources: + requests: + memory: "100Mi" + limits: + memory: "100Mi" + - name: busybox02 + image: busybox:1.35 + - name: busybox03 + image: busybox:1.35 + resources: + requests: + memory: "50Mi" + limits: + memory: "50Mi" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..77f3dfca2 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,27 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: memory-requests-equal-limits +policies: +- ../memory-requests-equal-limits.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: memory-requests-equal-limits + resources: + - hello + result: pass + rule: autogen-cronjob-memory-requests-equal-limits +- kind: DaemonSet + policy: memory-requests-equal-limits + resources: + - fluentd-elasticsearch + result: pass + rule: autogen-memory-requests-equal-limits +- kind: Pod + policy: memory-requests-equal-limits + resources: + - myapp-pod + result: fail + rule: memory-requests-equal-limits diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml new file mode 100644 index 000000000..33b5da389 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml @@ -0,0 +1,73 @@ +# DaemonSet with equal resources.requests.memory to resources.limits.memory +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + +--- +# Pod with unequal resources.requests.memory to resources.limits.memory +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod +spec: + containers: + - name: nginx + image: nginx + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +--- +# CronJob with equal resources.requests.memory to resources.limits.memory +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + resources: + requests: + cpu: "100m" + memory: "1000m" + limits: + cpu: "100m" + memory: "1000m" + restartPolicy: OnFailure + diff --git a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml new file mode 100644 index 000000000..0eab5d3b2 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: memory-requests-equal-limits +version: 1.0.0 +displayName: Memory Requests Equal Limits +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 634be7d8371928ed519a4576f84751fd423ae3d3e6e9146bb2280910dc8954c5 diff --git a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml new file mode 100644 index 000000000..9afeb8f06 --- /dev/null +++ b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: memory-requests-equal-limits + annotations: + policies.kyverno.io/title: Memory Requests Equal Limits + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if + they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. + This policy checks that all containers in a given Pod have memory requests equal to limits. +spec: + validationFailureAction: audit + background: false + rules: + - name: memory-requests-equal-limits + match: + any: + - resources: + kinds: + - Pod + validate: + message: "resources.requests.memory must be equal to resources.limits.memory" + deny: + conditions: + any: + - key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}" + operator: NotEquals + value: 0 From 6ddcce3c7243119f69ccc420ab1f8b49fff12ea0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 11:15:15 +0000 Subject: [PATCH 11/16] convert memory-requests-equal-limits to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++---- .../memory-requests-equal-limits.yaml | 28 +++++++++++-------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml index 0eab5d3b2..c50a6c04d 100644 --- a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml +++ b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: memory-requests-equal-limits +name: memory-requests-equal-limits-cel version: 1.0.0 -displayName: Memory Requests Equal Limits -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Memory Requests Equal Limits in CEL expressions description: >- Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 634be7d8371928ed519a4576f84751fd423ae3d3e6e9146bb2280910dc8954c5 +digest: 176dc9b492d3eee687bc89711d3414f13bf00548b85781e71ccaacd12bbf6f1a +createdAt: "2024-04-07T11:13:21Z" + diff --git a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml index 9afeb8f06..82b23257b 100644 --- a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -3,17 +3,18 @@ kind: ClusterPolicy metadata: name: memory-requests-equal-limits annotations: - policies.kyverno.io/title: Memory Requests Equal Limits - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Memory Requests Equal Limits in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: memory-requests-equal-limits @@ -23,10 +24,15 @@ spec: kinds: - Pod validate: - message: "resources.requests.memory must be equal to resources.limits.memory" - deny: - conditions: - any: - - key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}" - operator: NotEquals - value: 0 + cel: + variables: + - name: containersWithResources + expression: object.spec.containers.filter(container, has(container.resources)) + expressions: + - expression: >- + variables.containersWithResources.all(container, + !has(container.resources.requests) || + !has(container.resources.requests.memory) || + container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) + message: "resources.requests.memory must be equal to resources.limits.memory" + From 20c9b42e08c7ba0ca8af5ebb21b58c8547e53ae6 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 8 Apr 2024 10:14:13 +0000 Subject: [PATCH 12/16] copy prevent-cr8escape Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 30 ++++++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 47 +++++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 47 +++++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 29 ++++++++++++ .../.chainsaw-test/pods-good.yaml | 34 ++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 9 ++++ .../.kyverno-test/kyverno-test.yaml | 22 +++++++++ .../.kyverno-test/resources.yaml | 38 +++++++++++++++ .../prevent-cr8escape/artifacthub-pkg.yml | 22 +++++++++ .../prevent-cr8escape/prevent-cr8escape.yaml | 34 ++++++++++++++ 10 files changed, 312 insertions(+) create mode 100755 other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml create mode 100644 other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml create mode 100644 other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml create mode 100644 other-cel/prevent-cr8escape/.kyverno-test/resources.yaml create mode 100644 other-cel/prevent-cr8escape/artifacthub-pkg.yml create mode 100644 other-cel/prevent-cr8escape/prevent-cr8escape.yaml diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5c9e73868 --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: prevent-cr8escape +spec: + steps: + - name: step-01 + try: + - apply: + file: ../prevent-cr8escape.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..28649c6d3 --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + securityContext: + sysctls: + - name: "bar" + value: "foo" + - name: "foo" + value: "foo=bar" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + securityContext: + sysctls: + - name: "foo" + value: "foo+bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..f919b1592 --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + securityContext: + sysctls: + - name: "foo" + value: "bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + securityContext: + sysctls: + - name: "foo" + value: "bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..6ef434f4a --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + securityContext: + sysctls: + - name: "foo" + value: "foo+bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + securityContext: + sysctls: + - name: "bar" + value: "foo" + - name: "foo" + value: "foo=bar" + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..c7519c65f --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + securityContext: + sysctls: + - name: "foo" + value: "bar" + - name: "bar" + value: "foo" + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + securityContext: + allowPrivilegeEscalation: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..878ac47ec --- /dev/null +++ b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-cr8escape +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e9dae26dc --- /dev/null +++ b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,22 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict- +policies: +- ../prevent-cr8escape.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: prevent-cr8escape + resources: + - badpod01 + result: fail + rule: restrict-sysctls-cr8escape +- kind: Pod + policy: prevent-cr8escape + resources: + - pod-sysctl-good + - pod-no-sysctl + result: pass + rule: restrict-sysctls-cr8escape diff --git a/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml new file mode 100644 index 000000000..fcc6db8d5 --- /dev/null +++ b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "1+kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #" + containers: + - name: alpine + image: alpine:latest + command: ["tail", "-f", "/dev/null"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-no-sysctl +spec: + containers: + - name: alpine + image: alpine:latest + command: ["tail", "-f", "/dev/null"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-sysctl-good +spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + containers: + - name: alpine + image: alpine:latest + command: ["tail", "-f", "/dev/null"] \ No newline at end of file diff --git a/other-cel/prevent-cr8escape/artifacthub-pkg.yml b/other-cel/prevent-cr8escape/artifacthub-pkg.yml new file mode 100644 index 000000000..078babb4f --- /dev/null +++ b/other-cel/prevent-cr8escape/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: prevent-cr8escape +version: 1.0.0 +displayName: Prevent cr8escape (CVE-2022-0811) +createdAt: "2023-04-10T20:30:05.000Z" +description: >- + A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-cr8escape/prevent-cr8escape.yaml + ``` +keywords: + - kyverno + - Other +readme: | + A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 67a50e864bbb6fae4b125140c3c19fd42f87a6b2b95f0ce269e6ee6128e81932 diff --git a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml new file mode 100644 index 000000000..2b49dd16d --- /dev/null +++ b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-cr8escape + annotations: + policies.kyverno.io/title: Prevent cr8escape (CVE-2022-0811) + policies.kyverno.io/category: Other + policies.kyverno.io/severity: high + kyverno.io/kyverno-version: 1.6.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine + underpinning Kubernetes allows attackers to escape from a Kubernetes container + and gain root access to the host. The recommended remediation is to disallow + sysctl settings with + or = in their value. +spec: + validationFailureAction: enforce + background: true + rules: + - name: restrict-sysctls-cr8escape + match: + any: + - resources: + kinds: + - Pod + validate: + message: "characters '+' or '=' are not allowed in sysctls values" + pattern: + spec: + =(securityContext): + =(sysctls): + - =(value): "!*+* & !*=*" \ No newline at end of file From 3697cc3e3e510585d845fe33acdd51485b74cb9f Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Mon, 8 Apr 2024 10:52:15 +0000 Subject: [PATCH 13/16] convert prevent-cr8escape to cel Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 2 +- .../prevent-cr8escape/artifacthub-pkg.yml | 16 ++++++------ .../prevent-cr8escape/prevent-cr8escape.yaml | 25 ++++++++++--------- .../.kyverno-test/kyverno-test.yaml | 2 +- 4 files changed, 24 insertions(+), 21 deletions(-) diff --git a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml index e9dae26dc..b9bb93bba 100644 --- a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml +++ b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -1,7 +1,7 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Test metadata: - name: restrict- + name: prevent-cr8escape policies: - ../prevent-cr8escape.yaml resources: diff --git a/other-cel/prevent-cr8escape/artifacthub-pkg.yml b/other-cel/prevent-cr8escape/artifacthub-pkg.yml index 078babb4f..afc130c3e 100644 --- a/other-cel/prevent-cr8escape/artifacthub-pkg.yml +++ b/other-cel/prevent-cr8escape/artifacthub-pkg.yml @@ -1,22 +1,24 @@ -name: prevent-cr8escape +name: prevent-cr8escape-cel version: 1.0.0 -displayName: Prevent cr8escape (CVE-2022-0811) -createdAt: "2023-04-10T20:30:05.000Z" +displayName: Prevent cr8escape (CVE-2022-0811) in CEL expressions description: >- A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-cr8escape/prevent-cr8escape.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/prevent-cr8escape/prevent-cr8escape.yaml ``` keywords: - kyverno - Other + - CEL Expressions readme: | A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Other in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 67a50e864bbb6fae4b125140c3c19fd42f87a6b2b95f0ce269e6ee6128e81932 +digest: 84a0f441ce5baec6060606a05f2f7f54847e79b48a38c9edc1655e6f0caf8bbf +createdAt: "2024-04-08T10:46:02Z" + diff --git a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml index 2b49dd16d..dfa8e918e 100644 --- a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml +++ b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml @@ -3,12 +3,12 @@ kind: ClusterPolicy metadata: name: prevent-cr8escape annotations: - policies.kyverno.io/title: Prevent cr8escape (CVE-2022-0811) - policies.kyverno.io/category: Other + policies.kyverno.io/title: Prevent cr8escape (CVE-2022-0811) in CEL expressions + policies.kyverno.io/category: Other in CEL policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine @@ -16,7 +16,7 @@ metadata: and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: restrict-sysctls-cr8escape @@ -26,9 +26,10 @@ spec: kinds: - Pod validate: - message: "characters '+' or '=' are not allowed in sysctls values" - pattern: - spec: - =(securityContext): - =(sysctls): - - =(value): "!*+* & !*=*" \ No newline at end of file + cel: + expressions: + - expression: >- + !has(object.spec.securityContext) || !has(object.spec.securityContext.sysctls) || + object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) + message: "characters '+' or '=' are not allowed in sysctls values" + diff --git a/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml index e9dae26dc..b9bb93bba 100644 --- a/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml +++ b/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -1,7 +1,7 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Test metadata: - name: restrict- + name: prevent-cr8escape policies: - ../prevent-cr8escape.yaml resources: From 7bad69e4a1dad27773eb8c481a84c2c0dd08e15d Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 10 Apr 2024 18:12:09 +0000 Subject: [PATCH 14/16] rename files for clarity Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 .../metadata-match-regex/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml | 2 +- .../{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename other-cel/memory-requests-equal-limits/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/metadata-match-regex/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/pdb-maxunavailable/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) rename other-cel/prevent-bare-pods/.chainsaw-test/{chainsaw-step-01-assert-1.yaml => policy-ready.yaml} (100%) diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml index 8fbe8f5e1..e104d6353 100755 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml index 5330a983e..199c0cc61 100755 --- a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml index 506f80b2e..df4a4421d 100755 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml @@ -19,7 +19,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml index 00047a5d0..a36e55e11 100755 --- a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml @@ -21,7 +21,7 @@ spec: spec: validationFailureAction: Enforce - assert: - file: chainsaw-step-01-assert-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml similarity index 100% rename from other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml From 717d8c3d2016a1d7ce9e2f2fdda106245a234095 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 10 Apr 2024 18:17:09 +0000 Subject: [PATCH 15/16] add a new line at the end of files Signed-off-by: Chandan-DK --- .../.chainsaw-test/chainsaw-test.yaml | 1 + .../memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml | 3 ++- .../memory-requests-equal-limits/.chainsaw-test/pod-good.yaml | 3 ++- .../.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../.chainsaw-test/podcontroller-good.yaml | 3 ++- .../.chainsaw-test/policy-ready.yaml | 1 + .../.kyverno-test/kyverno-test.yaml | 1 + .../metadata-match-regex/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml | 3 ++- other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml | 3 ++- .../metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../.chainsaw-test/podcontroller-good.yaml | 3 ++- .../metadata-match-regex/.chainsaw-test/policy-ready.yaml | 1 + other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml | 3 ++- other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml | 3 ++- other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml | 1 + other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml | 1 + other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml | 1 + other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml | 1 + other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml | 3 ++- other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml | 3 ++- other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml | 3 ++- other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml | 3 ++- other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml | 1 + other-cel/prevent-bare-pods/prevent-bare-pods.yaml | 1 + other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml | 1 + .../prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml | 3 ++- .../prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml | 3 ++- other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml | 3 ++- other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml | 3 ++- other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml | 3 ++- other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml | 1 + other-cel/prevent-cr8escape/.kyverno-test/resources.yaml | 3 ++- 34 files changed, 54 insertions(+), 20 deletions(-) diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml index e104d6353..a6646a301 100755 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml index ceb85fe42..b5e8f35f5 100644 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml @@ -73,4 +73,5 @@ spec: requests: memory: "100Mi" limits: - memory: "100Mi" \ No newline at end of file + memory: "100Mi" + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml index ca209878d..2b67af375 100644 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml @@ -42,4 +42,5 @@ spec: requests: memory: "50Mi" limits: - memory: "50Mi" \ No newline at end of file + memory: "50Mi" + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml index 7c1a62010..85b8c5456 100644 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml @@ -56,4 +56,5 @@ spec: memory: "100Mi" limits: memory: "150Mi" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml index 1a18a0717..d54369b17 100644 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml @@ -60,4 +60,5 @@ spec: memory: "50Mi" limits: memory: "50Mi" - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml index b380064bd..b0e2885d6 100755 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml +++ b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: memory-requests-equal-limits status: ready: true + diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml index 77f3dfca2..73538ab7d 100644 --- a/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml +++ b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml @@ -25,3 +25,4 @@ results: - myapp-pod result: fail rule: memory-requests-equal-limits + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml index 199c0cc61..51f02a908 100755 --- a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml @@ -36,3 +36,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml index 50accd487..e16e81cd7 100644 --- a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml @@ -38,4 +38,5 @@ metadata: spec: containers: - name: busybox - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml index 1247325fc..9c3f19d3e 100644 --- a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml @@ -18,4 +18,5 @@ metadata: spec: containers: - name: busybox - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml index 495f99078..e1824fb48 100644 --- a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml @@ -36,4 +36,5 @@ spec: containers: - name: busybox image: busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml index ad399aa8b..164d85d51 100644 --- a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml @@ -36,4 +36,5 @@ spec: containers: - name: busybox image: busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml index 440d4828f..aa0042784 100755 --- a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml +++ b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: metadata-match-regex status: ready: true + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml index df4a4421d..84811c9fc 100755 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml @@ -29,3 +29,4 @@ spec: - check: ($error != null): true file: pdb-bad.yaml + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml index 3856659ef..48788b23e 100644 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml @@ -3,4 +3,5 @@ kind: PodDisruptionBudget metadata: name: badpdb01 spec: - maxUnavailable: 0 \ No newline at end of file + maxUnavailable: 0 + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml index 44d7a816c..d8c6a9e30 100644 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml @@ -10,4 +10,5 @@ kind: PodDisruptionBudget metadata: name: goodpdb02 spec: - maxUnavailable: 1 \ No newline at end of file + maxUnavailable: 1 + diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml index 5cdc2b1cc..235426002 100755 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml +++ b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: pdb-maxunavailable status: ready: true + diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml index de54dcca9..e62099f4d 100644 --- a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml +++ b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml @@ -21,3 +21,4 @@ results: - kube-system/good-pdb-none result: pass rule: pdb-maxunavailable + diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml index 8b4f7cbf0..d7777edb9 100644 --- a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml +++ b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml @@ -40,3 +40,4 @@ spec: selector: matchLabels: app: bad + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml index a36e55e11..71881a8c8 100755 --- a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml @@ -44,3 +44,4 @@ spec: try: - script: content: kubectl delete all --all --force --grace-period=0 -n prevent-naked-pods-ns + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml index 8ddcca3cc..c79a4845a 100644 --- a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml @@ -19,4 +19,5 @@ spec: containers: - name: busybox image: busybox:1.35 - command: ["sleep", "30"] \ No newline at end of file + command: ["sleep", "30"] + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml index 1854a97d2..ed9eca697 100644 --- a/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml @@ -1,4 +1,5 @@ apiVersion: v1 kind: Namespace metadata: - name: prevent-naked-pods-ns \ No newline at end of file + name: prevent-naked-pods-ns + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml index be458efe5..cf952a0ce 100644 --- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml @@ -5,4 +5,5 @@ metadata: spec: containers: - name: busybox - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml index f7e01fe38..7bd6e6c77 100644 --- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -10,4 +10,5 @@ metadata: spec: containers: - name: busybox - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml index 34cc2d581..c88574c2e 100755 --- a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml +++ b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml @@ -4,3 +4,4 @@ metadata: name: prevent-bare-pods status: ready: true + diff --git a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml index dd31e36fb..2afe850c7 100644 --- a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml +++ b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml @@ -31,3 +31,4 @@ spec: expressions: - expression: "'ownerReferences' in object.metadata" message: "Bare Pods are not allowed. They must be created by Pod controllers." + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml index 5c9e73868..7816e6083 100755 --- a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml +++ b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml @@ -28,3 +28,4 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml index 28649c6d3..26556887a 100644 --- a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml +++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml @@ -44,4 +44,5 @@ spec: containers: - name: busybox image: busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml index f919b1592..487b91d99 100644 --- a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml +++ b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml @@ -44,4 +44,5 @@ spec: containers: - name: busybox image: busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml index 6ef434f4a..05825db5a 100644 --- a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml +++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml @@ -26,4 +26,5 @@ spec: value: "foo=bar" containers: - name: busybox - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml index c7519c65f..ed0f0c5fa 100644 --- a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml +++ b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml @@ -31,4 +31,5 @@ metadata: spec: containers: - name: busybox - image: busybox:1.35 \ No newline at end of file + image: busybox:1.35 + diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml index 878ac47ec..1259408f7 100644 --- a/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml +++ b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml @@ -6,4 +6,5 @@ status: conditions: - reason: Succeeded status: "True" - type: Ready \ No newline at end of file + type: Ready + diff --git a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml index b9bb93bba..29a5cc8c5 100644 --- a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml +++ b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -20,3 +20,4 @@ results: - pod-no-sysctl result: pass rule: restrict-sysctls-cr8escape + diff --git a/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml index fcc6db8d5..e5ae26766 100644 --- a/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml +++ b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml @@ -35,4 +35,5 @@ spec: containers: - name: alpine image: alpine:latest - command: ["tail", "-f", "/dev/null"] \ No newline at end of file + command: ["tail", "-f", "/dev/null"] + From dc2aba2cf3c3ee9c48fb6a2dfd65d1796f81523c Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Wed, 10 Apr 2024 18:27:21 +0000 Subject: [PATCH 16/16] fix lint Signed-off-by: Chandan-DK --- other-cel/prevent-bare-pods/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other-cel/prevent-bare-pods/artifacthub-pkg.yml b/other-cel/prevent-bare-pods/artifacthub-pkg.yml index a100c0e51..3917c8200 100644 --- a/other-cel/prevent-bare-pods/artifacthub-pkg.yml +++ b/other-cel/prevent-bare-pods/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Other, EKS Best Practices in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 448ef8432853ff17687409fd813fcc5e1be8146a20eb5860bd2f56766d2c717f +digest: 325e1a068bd771c60a304f121675b9d895bcc8abacc7b48054ae4465d51fd158 createdAt: "2024-04-07T10:47:32Z"