From 5d342a72575e141f14cbfd26980a2ba13e243dff Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Wed, 28 Feb 2024 18:18:08 +0530 Subject: [PATCH] tests(core): Add tests for SecurityIntent update and deletion Signed-off-by: Anurag Rajawat --- .../nimbuspolicy/delete/chainsaw-test.yaml | 4 +- .../nimbuspolicy/update/chainsaw-test.yaml | 4 +- ...ation-si.yaml => dns-manipulation-si.yaml} | 0 ...ion-sib.yaml => dns-manipulation-sib.yaml} | 0 .../resources/namespaced/multiple-sis.yaml | 29 ++++++ .../namespaced/sib-for-multiple-sis.yaml | 19 ++++ .../securityintent/chainsaw-test.yaml | 2 +- .../create/chainsaw-test.yaml | 4 +- .../delete/chainsaw-test.yaml | 4 +- .../update/chainsaw-test.yaml | 4 +- .../controllers/sis-and-sibs/create/README.md | 76 ++++++++++++++ .../sis-and-sibs/create/chainsaw-test.yaml | 45 +++++++++ .../controllers/sis-and-sibs/delete/README.md | 76 ++++++++++++++ .../sis-and-sibs/delete/chainsaw-test.yaml | 58 +++++++++++ .../sib-status-after-si-deletion-assert.yaml | 11 +++ .../sis-and-sibs/nimbus-policy-assert.yaml | 24 +++++ .../sis-and-sibs/np-status-assert.yaml | 10 ++ .../sis-and-sibs/si-status-assert.yaml | 11 +++ .../sis-and-sibs/sib-status-assert.yaml | 13 +++ .../controllers/sis-and-sibs/update/README.md | 98 +++++++++++++++++++ .../sis-and-sibs/update/chainsaw-test.yaml | 58 +++++++++++ .../nimbus-policy-after-deleting-one-si.yaml | 24 +++++ .../nimbus-policy-after-updating-one-si.yaml | 27 +++++ .../nimbus-policy-for-multiple-sis.yaml | 27 +++++ .../sib-status-after-si-deletion-assert.yaml | 14 +++ .../sis-and-sibs/update/updated-sib.yaml | 18 ++++ .../update/updated-unauth-sa-si.yaml | 11 +++ 27 files changed, 660 insertions(+), 11 deletions(-) rename tests/controllers/resources/namespaced/{1-dns-manipulation-si.yaml => dns-manipulation-si.yaml} (100%) rename tests/controllers/resources/namespaced/{1-dns-manipulation-sib.yaml => dns-manipulation-sib.yaml} (100%) create mode 100644 tests/controllers/resources/namespaced/multiple-sis.yaml create mode 100644 tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml create mode 100644 tests/controllers/sis-and-sibs/create/README.md create mode 100644 tests/controllers/sis-and-sibs/create/chainsaw-test.yaml create mode 100644 tests/controllers/sis-and-sibs/delete/README.md create mode 100644 tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml create mode 100644 tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml create mode 100644 tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml create mode 100644 tests/controllers/sis-and-sibs/np-status-assert.yaml create mode 100644 tests/controllers/sis-and-sibs/si-status-assert.yaml create mode 100644 tests/controllers/sis-and-sibs/sib-status-assert.yaml create mode 100644 tests/controllers/sis-and-sibs/update/README.md create mode 100644 tests/controllers/sis-and-sibs/update/chainsaw-test.yaml create mode 100644 tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml create mode 100644 tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml create mode 100644 tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml create mode 100644 tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml create mode 100644 tests/controllers/sis-and-sibs/update/updated-sib.yaml create mode 100644 tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml diff --git a/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml b/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml index 170c3366..923029bd 100644 --- a/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml +++ b/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml @@ -13,12 +13,12 @@ spec: - name: "Create a SecurityIntent" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-si.yaml + file: ../../resources/namespaced/dns-manipulation-si.yaml - name: "Create a SecurityIntentBinding" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-sib.yaml + file: ../../resources/namespaced/dns-manipulation-sib.yaml - name: "Verity NimbusPolicy creation" try: diff --git a/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml b/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml index 580f4738..5e872d96 100644 --- a/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml +++ b/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml @@ -13,12 +13,12 @@ spec: - name: "Create a SecurityIntent" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-si.yaml + file: ../../resources/namespaced/dns-manipulation-si.yaml - name: "Create a SecurityIntentBinding" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-sib.yaml + file: ../../resources/namespaced/dns-manipulation-sib.yaml - name: "Verity NimbusPolicy creation" try: diff --git a/tests/controllers/resources/namespaced/1-dns-manipulation-si.yaml b/tests/controllers/resources/namespaced/dns-manipulation-si.yaml similarity index 100% rename from tests/controllers/resources/namespaced/1-dns-manipulation-si.yaml rename to tests/controllers/resources/namespaced/dns-manipulation-si.yaml diff --git a/tests/controllers/resources/namespaced/1-dns-manipulation-sib.yaml b/tests/controllers/resources/namespaced/dns-manipulation-sib.yaml similarity index 100% rename from tests/controllers/resources/namespaced/1-dns-manipulation-sib.yaml rename to tests/controllers/resources/namespaced/dns-manipulation-sib.yaml diff --git a/tests/controllers/resources/namespaced/multiple-sis.yaml b/tests/controllers/resources/namespaced/multiple-sis.yaml new file mode 100644 index 00000000..e669655a --- /dev/null +++ b/tests/controllers/resources/namespaced/multiple-sis.yaml @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: pkg-mgr-exec-multiple +spec: + intent: + id: swDeploymentTools + action: Block +--- +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: unauthorized-sa-token-access-multiple +spec: + intent: + id: unAuthorizedSaTokenAccess + action: Audit +--- +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: dns-manipulation-multiple +spec: + intent: + id: dnsManipulation + action: Block diff --git a/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml b/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml new file mode 100644 index 00000000..3eaf9db9 --- /dev/null +++ b/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: multiple-sis-binding +spec: + intents: + - name: pkg-mgr-exec-multiple + - name: unauthorized-sa-token-access-multiple + - name: dns-manipulation-multiple + selector: + any: + - resources: + kind: Pod + namespace: default + matchLabels: + app: nginx diff --git a/tests/controllers/securityintent/chainsaw-test.yaml b/tests/controllers/securityintent/chainsaw-test.yaml index 6744b156..20688a42 100644 --- a/tests/controllers/securityintent/chainsaw-test.yaml +++ b/tests/controllers/securityintent/chainsaw-test.yaml @@ -13,7 +13,7 @@ spec: - name: "Create a SecurityIntent" try: - apply: - file: ../resources/namespaced/1-dns-manipulation-si.yaml + file: ../resources/namespaced/dns-manipulation-si.yaml - name: "Verify status of created SecurityIntent" try: diff --git a/tests/controllers/securityintentbinding/create/chainsaw-test.yaml b/tests/controllers/securityintentbinding/create/chainsaw-test.yaml index fd0b1597..7f034fb3 100644 --- a/tests/controllers/securityintentbinding/create/chainsaw-test.yaml +++ b/tests/controllers/securityintentbinding/create/chainsaw-test.yaml @@ -13,12 +13,12 @@ spec: - name: "Create a SecurityIntent" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-si.yaml + file: ../../resources/namespaced/dns-manipulation-si.yaml - name: "Create a SecurityIntentBinding" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-sib.yaml + file: ../../resources/namespaced/dns-manipulation-sib.yaml - name: "Verity NimbusPolicy creation" try: diff --git a/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml b/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml index eb457c31..21e7e688 100644 --- a/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml +++ b/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml @@ -13,12 +13,12 @@ spec: - name: "Create a SecurityIntent" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-si.yaml + file: ../../resources/namespaced/dns-manipulation-si.yaml - name: "Create a SecurityIntentBinding" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-sib.yaml + file: ../../resources/namespaced/dns-manipulation-sib.yaml # This resource is intentionally left undeleted by chainsaw to avoid unnecessary errors during its cleanup phase, as it will be explicitly deleted in the following step. skipDelete: true diff --git a/tests/controllers/securityintentbinding/update/chainsaw-test.yaml b/tests/controllers/securityintentbinding/update/chainsaw-test.yaml index 1d358b13..dce45134 100644 --- a/tests/controllers/securityintentbinding/update/chainsaw-test.yaml +++ b/tests/controllers/securityintentbinding/update/chainsaw-test.yaml @@ -11,12 +11,12 @@ spec: - name: "Create a SecurityIntent" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-si.yaml + file: ../../resources/namespaced/dns-manipulation-si.yaml - name: "Create a SecurityIntentBinding" try: - apply: - file: ../../resources/namespaced/1-dns-manipulation-sib.yaml + file: ../../resources/namespaced/dns-manipulation-sib.yaml - name: "Update existing SecurityIntentBinding" try: diff --git a/tests/controllers/sis-and-sibs/create/README.md b/tests/controllers/sis-and-sibs/create/README.md new file mode 100644 index 00000000..a4315f51 --- /dev/null +++ b/tests/controllers/sis-and-sibs/create/README.md @@ -0,0 +1,76 @@ +# Test: `securityintentbinding-and-securityintent-independent-creation` + +This test verifies the independent creation of SecurityIntent and SecurityIntentBinding custom resources. It ensures users can create these custom resources individually without requiring one to exist beforehand. + + +### Steps + +| # | Name | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:| +| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | +| 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 1 | 0 | 0 | +| 5 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 1 | 0 | 0 | +| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 1 | 0 | 0 | + +## Step: `Create a SecurityIntentBinding` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Create a SecurityIntent` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Verity NimbusPolicy creation` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Verify status of created SecurityIntentBinding` + +Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. + + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Verify status of created SecurityIntent` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Verify status of created NimbusPolicy` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | diff --git a/tests/controllers/sis-and-sibs/create/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/create/chainsaw-test.yaml new file mode 100644 index 00000000..0942e023 --- /dev/null +++ b/tests/controllers/sis-and-sibs/create/chainsaw-test.yaml @@ -0,0 +1,45 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: securityintentbinding-and-securityintent-independent-creation +spec: + description: > + This test verifies the independent creation of SecurityIntent and SecurityIntentBinding custom resources. + It ensures users can create these custom resources individually without requiring one to exist beforehand. + + steps: + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-sib.yaml + + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-si.yaml + + - name: "Verity NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify status of created SecurityIntentBinding" + description: > + Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, + along with the generated NimbusPolicy name. + try: + - assert: + file: ../sib-status-assert.yaml + + - name: "Verify status of created SecurityIntent" + try: + - assert: + file: ../si-status-assert.yaml + + - name: "Verify status of created NimbusPolicy" + try: + - assert: + file: ../np-status-assert.yaml diff --git a/tests/controllers/sis-and-sibs/delete/README.md b/tests/controllers/sis-and-sibs/delete/README.md new file mode 100644 index 00000000..99a45920 --- /dev/null +++ b/tests/controllers/sis-and-sibs/delete/README.md @@ -0,0 +1,76 @@ +# Test: `securityintent-deletion-after-creation-of-nimbuspolicy` + +This test verifies that when a SecurityIntent is the only one referenced by a SecurityIntentBinding, and that SecurityIntent is deleted, the corresponding NimbusPolicy is also automatically deleted. + + +### Steps + +| # | Name | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:| +| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 | +| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 1 | 0 | 0 | +| 4 | [Delete previously created SecurityIntent](#step-Delete previously created SecurityIntent) | 1 | 0 | 0 | +| 5 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 1 | 0 | 0 | +| 6 | [Verify status of SecurityIntentBinding](#step-Verify status of SecurityIntentBinding) | 1 | 0 | 0 | + +## Step: `Create a SecurityIntentBinding` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Create a SecurityIntent` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Verify NimbusPolicy creation` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Delete previously created SecurityIntent` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `delete` | *No description* | + +## Step: `Verify the NimbusPolicy deletion` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `script` | *No description* | + +## Step: `Verify status of SecurityIntentBinding` + +This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is updated to reflect the current information. + + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | diff --git a/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml new file mode 100644 index 00000000..87a2d128 --- /dev/null +++ b/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml @@ -0,0 +1,58 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: securityintent-deletion-after-creation-of-nimbuspolicy +spec: + description: > + This test verifies that when a SecurityIntent is the only one referenced by a SecurityIntentBinding, and that + SecurityIntent is deleted, the corresponding NimbusPolicy is also automatically deleted. + + steps: + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-sib.yaml + + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-si.yaml + skipDelete: true + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Delete previously created SecurityIntent" + try: + - delete: + ref: + apiVersion: intent.security.nimbus.com/v1 + kind: SecurityIntent + name: dns-manipulation + expect: + - match: + apiVersion: intent.security.nimbus.com/v1 + kind: SecurityIntent + name: dns-manipulation + check: + ($error != null): true + + - name: "Verify the NimbusPolicy deletion" + try: + - script: + content: kubectl get np -n $NAMESPACE dns-manipulation-binding + check: + ($error != null): true + + - name: "Verify status of SecurityIntentBinding" + description: > + This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is + updated to reflect the current information. + try: + - assert: + file: sib-status-after-si-deletion-assert.yaml diff --git a/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml b/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml new file mode 100644 index 00000000..dfe72f22 --- /dev/null +++ b/tests/controllers/sis-and-sibs/delete/sib-status-after-si-deletion-assert.yaml @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: dns-manipulation-binding +status: + nimbusPolicy: "" + numberOfBoundIntents: 0 + status: Created diff --git a/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml b/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml new file mode 100644 index 00000000..4cb5c161 --- /dev/null +++ b/tests/controllers/sis-and-sibs/nimbus-policy-assert.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: dns-manipulation-binding + # Since UID is not predictable so ignore it. +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/controllers/sis-and-sibs/np-status-assert.yaml b/tests/controllers/sis-and-sibs/np-status-assert.yaml new file mode 100644 index 00000000..793d1972 --- /dev/null +++ b/tests/controllers/sis-and-sibs/np-status-assert.yaml @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: dns-manipulation-binding +status: + numberOfAdapterPolicies: 0 + status: Created diff --git a/tests/controllers/sis-and-sibs/si-status-assert.yaml b/tests/controllers/sis-and-sibs/si-status-assert.yaml new file mode 100644 index 00000000..9b74be8b --- /dev/null +++ b/tests/controllers/sis-and-sibs/si-status-assert.yaml @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: dns-manipulation +status: + action: Block + id: dnsManipulation + status: Created diff --git a/tests/controllers/sis-and-sibs/sib-status-assert.yaml b/tests/controllers/sis-and-sibs/sib-status-assert.yaml new file mode 100644 index 00000000..fc6d1f14 --- /dev/null +++ b/tests/controllers/sis-and-sibs/sib-status-assert.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: dns-manipulation-binding +status: + boundIntents: + - dns-manipulation + nimbusPolicy: dns-manipulation-binding + numberOfBoundIntents: 1 + status: Created diff --git a/tests/controllers/sis-and-sibs/update/README.md b/tests/controllers/sis-and-sibs/update/README.md new file mode 100644 index 00000000..c6959bc3 --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/README.md @@ -0,0 +1,98 @@ +# Test: `update` + +This test verifies that modifying a SecurityIntent triggers the desired updates in corresponding SecurityIntentBinding's status subresource and related NimbusPolicy. + + +### Steps + +| # | Name | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:| +| 1 | [Create a SecurityIntentBinding for multiple SecurityIntents](#step-Create a SecurityIntentBinding for multiple SecurityIntents) | 1 | 0 | 0 | +| 2 | [Create multiple SecurityIntents](#step-Create multiple SecurityIntents) | 1 | 0 | 0 | +| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 | +| 4 | [Update one SecurityIntent](#step-Update one SecurityIntent) | 1 | 0 | 0 | +| 5 | [Verify NimbusPolicy update](#step-Verify NimbusPolicy update) | 1 | 0 | 0 | +| 6 | [Update SecurityIntentBinding to remove one SecurityIntent](#step-Update SecurityIntentBinding to remove one SecurityIntent) | 1 | 0 | 0 | +| 7 | [Verify the NimbusPolicy update after removal of SecurityIntent](#step-Verify the NimbusPolicy update after removal of SecurityIntent) | 1 | 0 | 0 | +| 8 | [Verify status of SecurityIntentBinding after update](#step-Verify status of SecurityIntentBinding after update) | 1 | 0 | 0 | + +## Step: `Create a SecurityIntentBinding for multiple SecurityIntents` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Create multiple SecurityIntents` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Verity NimbusPolicy creation` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Update one SecurityIntent` + +Update the action of one of the previously created SecurityIntents + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Verify NimbusPolicy update` + +Verify the update of rule.action for corresponding SecurityIntent update + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Update SecurityIntentBinding to remove one SecurityIntent` + +Remove one of the previously created SecurityIntents from the SecurityIntentBinding + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `apply` | *No description* | + +## Step: `Verify the NimbusPolicy update after removal of SecurityIntent` + +*No description* + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | + +## Step: `Verify status of SecurityIntentBinding after update` + +This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is updated to reflect the current information. + + +### Try + +| # | Operation | Description | +|:-:|---|---| +| 1 | `assert` | *No description* | diff --git a/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml new file mode 100644 index 00000000..01a731f8 --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/chainsaw-test.yaml @@ -0,0 +1,58 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: update +spec: + description: > + This test verifies that modifying a SecurityIntent triggers the desired updates in corresponding SecurityIntentBinding's + status subresource and related NimbusPolicy. + + steps: + - name: "Create a SecurityIntentBinding for multiple SecurityIntents" + try: + - apply: + file: ../../resources/namespaced/sib-for-multiple-sis.yaml + + - name: "Create multiple SecurityIntents" + try: + - apply: + file: ../../resources/namespaced/multiple-sis.yaml + + - name: "Verity NimbusPolicy creation" + try: + - assert: + file: nimbus-policy-for-multiple-sis.yaml + + - name: "Update one SecurityIntent" + description: "Update the action of one of the previously created SecurityIntents" + try: + - apply: + file: updated-unauth-sa-si.yaml + + - name: "Verify NimbusPolicy update" + description: "Verify the update of rule.action for corresponding SecurityIntent update" + try: + - assert: + file: nimbus-policy-after-updating-one-si.yaml + + - name: "Update SecurityIntentBinding to remove one SecurityIntent" + description: "Remove one of the previously created SecurityIntents from the SecurityIntentBinding" + try: + - apply: + file: updated-sib.yaml + + - name: "Verify the NimbusPolicy update after removal of SecurityIntent" + try: + - assert: + file: nimbus-policy-after-deleting-one-si.yaml + + - name: "Verify status of SecurityIntentBinding after update" + description: > + This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is + updated to reflect the current information. + try: + - assert: + file: sib-status-after-si-deletion-assert.yaml diff --git a/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml new file mode 100644 index 00000000..efe68a2f --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-deleting-one-si.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: multiple-sis-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: multiple-sis-binding +spec: + rules: + - id: unAuthorizedSaTokenAccess + rule: + action: Block + - id: dnsManipulation + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml new file mode 100644 index 00000000..9b3da3c7 --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/nimbus-policy-after-updating-one-si.yaml @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: multiple-sis-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: multiple-sis-binding +spec: + rules: + - id: swDeploymentTools + rule: + action: Block + - id: unAuthorizedSaTokenAccess + rule: + action: Block + - id: dnsManipulation + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml b/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml new file mode 100644 index 00000000..87762d56 --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/nimbus-policy-for-multiple-sis.yaml @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: multiple-sis-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: multiple-sis-binding +spec: + rules: + - id: swDeploymentTools + rule: + action: Block + - id: unAuthorizedSaTokenAccess + rule: + action: Audit + - id: dnsManipulation + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml b/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml new file mode 100644 index 00000000..5cebb0bf --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/sib-status-after-si-deletion-assert.yaml @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: multiple-sis-binding +status: + boundIntents: + - unauthorized-sa-token-access-multiple + - dns-manipulation-multiple + nimbusPolicy: multiple-sis-binding + numberOfBoundIntents: 2 + status: Created diff --git a/tests/controllers/sis-and-sibs/update/updated-sib.yaml b/tests/controllers/sis-and-sibs/update/updated-sib.yaml new file mode 100644 index 00000000..20fe3267 --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/updated-sib.yaml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: multiple-sis-binding +spec: + intents: + - name: unauthorized-sa-token-access-multiple + - name: dns-manipulation-multiple + selector: + any: + - resources: + kind: Pod + namespace: default + matchLabels: + app: nginx diff --git a/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml b/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml new file mode 100644 index 00000000..e83e913f --- /dev/null +++ b/tests/controllers/sis-and-sibs/update/updated-unauth-sa-si.yaml @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: unauthorized-sa-token-access-multiple +spec: + intent: + id: unAuthorizedSaTokenAccess + action: Block