From 11803596a136e77867683650a424847a7f035649 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Fri, 29 Mar 2024 11:22:04 -0400 Subject: [PATCH] Support PAAS * Adjust Kyverno policies to account for 'paas' role --- .github/config/kyverno-policies-values.yaml | 13 + .github/config/kyverno-values.yaml | 1 + charts/kyverno-policies/Chart.yaml | 2 +- .../templates/add-service-account.yaml | 6 +- .../templates/authorized-registries.yaml | 27 + .../templates/pod-nodeselector.yaml | 27 + .../templates/pod-resources.yaml | 2 + .../pod-service-account-validation.yaml | 7 +- .../templates/restrict-host-path.yaml | 20 + charts/kyverno-policies/values.yaml | 19 + .../add-service-account/kyverno-test.yaml | 26 +- ...as-service-account-mutated-containers.yaml | 15 + .../paas-service-account-mutated.yaml | 22 + .../add-service-account/resources.yaml | 30 ++ .../add-service-account/variables.yaml | 7 +- .../authorized-registries/kyverno-test.yaml | 23 + .../authorized-registries/resources.yaml | 60 +++ .../authorized-registries/variables.yaml | 3 + .../pod-nodeselector/kyverno-test.yaml | 25 + .../pod-nodeselector/resources.yaml | 80 +++ .../pod-nodeselector/variables.yaml | 3 + .../pod-resources/kyverno-test.yaml | 35 ++ .../pod-resources/resources.yaml | 84 ++++ .../pod-resources/variables.yaml | 3 + .../kyverno-test.yaml | 159 +++++- .../resources.yaml | 462 +++++++++++++++++- .../variables.yaml | 116 ++++- .../restrict-host-path/kyverno-test.yaml | 29 ++ .../restrict-host-path/resources.yaml | 104 ++++ .../restrict-host-path/variables.yaml | 3 + 30 files changed, 1333 insertions(+), 80 deletions(-) create mode 100644 tests/kyverno-policies/add-service-account/paas-service-account-mutated-containers.yaml create mode 100644 tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml diff --git a/.github/config/kyverno-policies-values.yaml b/.github/config/kyverno-policies-values.yaml index da801dcd..f35dcaa6 100644 --- a/.github/config/kyverno-policies-values.yaml +++ b/.github/config/kyverno-policies-values.yaml @@ -25,3 +25,16 @@ webservices: - busybox validNodeSelector: - test +paas: + allowHostPaths: + - /etc/slurm + - /var/run/munge/munge.socket.2 + - /users/?* + - /fs/?* + - /tmp + authorizedRegistries: + - docker-registry.osc.edu + - quay.io/oauth2-proxy/oauth2-proxy + - busybox + validNodeSelector: + - test diff --git a/.github/config/kyverno-values.yaml b/.github/config/kyverno-values.yaml index 1f9de4db..6d952f7a 100644 --- a/.github/config/kyverno-values.yaml +++ b/.github/config/kyverno-values.yaml @@ -38,3 +38,4 @@ config: operator: In values: - webservice + - paas diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 45b6daaf..a4c54972 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kyverno-policies description: OSC Kyverno policies deployment type: application -version: 0.23.0 +version: 0.24.0 appVersion: "v1.10.7" maintainers: - name: treydock diff --git a/charts/kyverno-policies/templates/add-service-account.yaml b/charts/kyverno-policies/templates/add-service-account.yaml index 1196cd35..f18a42d3 100644 --- a/charts/kyverno-policies/templates/add-service-account.yaml +++ b/charts/kyverno-policies/templates/add-service-account.yaml @@ -6,7 +6,7 @@ spec: validationFailureAction: enforce background: true rules: - - name: webservice-service-account-run-as + - name: service-account-run-as match: any: - resources: @@ -18,6 +18,7 @@ spec: operator: In values: - webservice + - paas preconditions: - key: "{{`{{ request.object.metadata.labels.\"osc.edu/service-account\" || '' }}`}}" operator: NotEquals @@ -43,7 +44,7 @@ spec: runAsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" fsGroup: "{{`{{ gidMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\".to_number(@) }}`}}" supplementalGroups: "{{`{{ gidsMap.data.\"user-{{ request.object.metadata.labels.\"osc.edu/service-account\" }}\" | parse_json(@)[*].to_number(@) }}`}}" - - name: webservice-service-account-run-as-containers + - name: service-account-run-as-containers match: any: - resources: @@ -55,6 +56,7 @@ spec: operator: In values: - webservice + - paas preconditions: - key: "{{`{{ request.object.metadata.labels.\"osc.edu/service-account\" || '' }}`}}" operator: NotEquals diff --git a/charts/kyverno-policies/templates/authorized-registries.yaml b/charts/kyverno-policies/templates/authorized-registries.yaml index afd0439b..b80aaba8 100644 --- a/charts/kyverno-policies/templates/authorized-registries.yaml +++ b/charts/kyverno-policies/templates/authorized-registries.yaml @@ -52,3 +52,30 @@ spec: =(initContainers): - image: "{{ . }}/* | {{ . }}:*" {{- end }} + - name: authorized-registries-paas + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + exclude: + any: + - resources: + name: "cm-acme-http-solver-*" + validate: + message: >- + Images must come from {{ join " or " .Values.paas.authorizedRegistries }} + anyPattern: + {{- range .Values.paas.authorizedRegistries }} + - spec: + containers: + - image: "{{ . }}/* | {{ . }}:*" + =(initContainers): + - image: "{{ . }}/* | {{ . }}:*" + {{- end }} diff --git a/charts/kyverno-policies/templates/pod-nodeselector.yaml b/charts/kyverno-policies/templates/pod-nodeselector.yaml index ea1f6ad9..e3a1aead 100644 --- a/charts/kyverno-policies/templates/pod-nodeselector.yaml +++ b/charts/kyverno-policies/templates/pod-nodeselector.yaml @@ -50,3 +50,30 @@ spec: nodeSelector: node-role.kubernetes.io/{{ . }}: '' {{- end }} + - name: pod-nodeselector-paas + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + exclude: + any: + - resources: + name: "cm-acme-http-solver-*" + validate: + message: "Node selector must be set" + anyPattern: + - spec: + nodeSelector: + osc.edu/role: "{{ join " | " .Values.paas.validNodeSelector }}" + {{- range .Values.paas.validNodeSelector }} + - spec: + nodeSelector: + node-role.kubernetes.io/{{ . }}: '' + {{- end }} diff --git a/charts/kyverno-policies/templates/pod-resources.yaml b/charts/kyverno-policies/templates/pod-resources.yaml index 8c9e1af2..c36bedfb 100644 --- a/charts/kyverno-policies/templates/pod-resources.yaml +++ b/charts/kyverno-policies/templates/pod-resources.yaml @@ -23,6 +23,7 @@ spec: operator: In values: - webservice + - paas validate: message: "CPU and memory resource requests and limits are required for pods" pattern: @@ -60,6 +61,7 @@ spec: operator: In values: - webservice + - paas validate: message: "CPU and memory limits exceed max 8 CPUs and 32GB of memory" pattern: diff --git a/charts/kyverno-policies/templates/pod-service-account-validation.yaml b/charts/kyverno-policies/templates/pod-service-account-validation.yaml index f07588c7..29cd52a9 100644 --- a/charts/kyverno-policies/templates/pod-service-account-validation.yaml +++ b/charts/kyverno-policies/templates/pod-service-account-validation.yaml @@ -18,8 +18,9 @@ spec: operator: In values: - webservice + - paas validate: - message: "Webservice pods must include a service account for access" + message: "Webservice and PAAS pods must include a service account for access" pattern: metadata: labels: @@ -36,6 +37,7 @@ spec: operator: In values: - webservice + - paas preconditions: - key: "{{`{{ request.operation }}`}}" operator: In @@ -82,6 +84,7 @@ spec: operator: In values: - webservice + - paas preconditions: - key: "{{`{{ request.operation }}`}}" operator: In @@ -128,6 +131,7 @@ spec: operator: In values: - webservice + - paas preconditions: - key: "{{`{{ request.operation }}`}}" operator: In @@ -159,6 +163,7 @@ spec: operator: In values: - webservice + - paas preconditions: - key: "{{`{{ request.operation }}`}}" operator: In diff --git a/charts/kyverno-policies/templates/restrict-host-path.yaml b/charts/kyverno-policies/templates/restrict-host-path.yaml index 5a9a60b2..ca7c4637 100644 --- a/charts/kyverno-policies/templates/restrict-host-path.yaml +++ b/charts/kyverno-policies/templates/restrict-host-path.yaml @@ -48,3 +48,23 @@ spec: =(volumes): - =(hostPath): path: "{{ join " | " .Values.webservices.allowHostPaths }}" + - name: paas-host-path + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + validate: + message: >- + That HostPath volume is forbidden. The fields spec.volumes[*].hostPath must not be set to allowed paths. + pattern: + spec: + =(volumes): + - =(hostPath): + path: "{{ join " | " .Values.paas.allowHostPaths }}" diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 10e43c18..70b20726 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -29,6 +29,23 @@ webservices: validNodeSelector: - infrastructure - webservices +paas: + allowHostPaths: + - /var/lib/sss/pipes + - /etc/sssd + - /etc/nsswitch.conf + - /etc/slurm + - /var/run/munge/munge.socket.2 + - /users/?* + - /fs/?* + authorizedRegistries: + - docker-registry.osc.edu + - docker-registry-test.osc.edu + - quay.io/oauth2-proxy/oauth2-proxy + validNodeSelector: + - infrastructure + - webservices + - paas validationFailureAction: {} kyverno-policies: # Supported- baseline/restricted/privileged/custom @@ -69,6 +86,7 @@ kyverno-policies: operator: In values: - webservice + - paas restrict-seccomp-strict: any: # TODO: Remove once ood_core updated @@ -90,6 +108,7 @@ kyverno-policies: operator: In values: - webservice + - paas policyPreconditions: disallow-capabilities: all: diff --git a/tests/kyverno-policies/add-service-account/kyverno-test.yaml b/tests/kyverno-policies/add-service-account/kyverno-test.yaml index e1cb2637..a3d040f9 100644 --- a/tests/kyverno-policies/add-service-account/kyverno-test.yaml +++ b/tests/kyverno-policies/add-service-account/kyverno-test.yaml @@ -7,42 +7,56 @@ resources: variables: variables.yaml results: - policy: add-service-account - rule: webservice-service-account-run-as + rule: service-account-run-as resources: - test-webservice-service-account patchedResource: webservice-service-account-mutated.yaml kind: Pod result: pass - policy: add-service-account - rule: webservice-service-account-run-as + rule: service-account-run-as + resources: + - test-paas-service-account + patchedResource: paas-service-account-mutated.yaml + kind: Pod + result: pass + - policy: add-service-account + rule: service-account-run-as resources: - test-no-service-account-skip patchedResource: no-service-account.yaml kind: Pod result: skip - policy: add-service-account - rule: webservice-service-account-run-as + rule: service-account-run-as resources: - test-webservice-service-account-mariadb patchedResource: webservice-service-account-mariadb-mutated.yaml kind: Pod result: pass - policy: add-service-account - rule: webservice-service-account-run-as + rule: service-account-run-as resources: - test-webservice-service-account-skip patchedResource: skip.yaml kind: Pod result: skip - policy: add-service-account - rule: webservice-service-account-run-as-containers + rule: service-account-run-as-containers resources: - test-webservice-service-account-containers patchedResource: webservice-service-account-mutated-containers.yaml kind: Pod result: pass - policy: add-service-account - rule: webservice-service-account-run-as-containers + rule: service-account-run-as-containers + resources: + - test-paas-service-account-containers + patchedResource: paas-service-account-mutated-containers.yaml + kind: Pod + result: pass + - policy: add-service-account + rule: service-account-run-as-containers resources: - test-webservice-service-account-mariadb-containers patchedResource: webservice-service-account-mariadb-mutated-containers.yaml diff --git a/tests/kyverno-policies/add-service-account/paas-service-account-mutated-containers.yaml b/tests/kyverno-policies/add-service-account/paas-service-account-mutated-containers.yaml new file mode 100644 index 00000000..e3db8eb3 --- /dev/null +++ b/tests/kyverno-policies/add-service-account/paas-service-account-mutated-containers.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-service-account-containers + namespace: paas + labels: + osc.edu/service-account: test +spec: + containers: + - name: nginx + image: nginx:latest + initContainers: + - name: init + image: busybox \ No newline at end of file diff --git a/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml b/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml new file mode 100644 index 00000000..27c418b1 --- /dev/null +++ b/tests/kyverno-policies/add-service-account/paas-service-account-mutated.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-service-account + namespace: paas + labels: + osc.edu/service-account: test +spec: + containers: + - name: nginx + image: nginx:latest + initContainers: + - name: init + image: busybox + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: + - 1001 + - 1002 diff --git a/tests/kyverno-policies/add-service-account/resources.yaml b/tests/kyverno-policies/add-service-account/resources.yaml index bc8befdf..54e429c7 100644 --- a/tests/kyverno-policies/add-service-account/resources.yaml +++ b/tests/kyverno-policies/add-service-account/resources.yaml @@ -26,6 +26,21 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-paas-service-account + namespace: paas + labels: + osc.edu/service-account: test +spec: + containers: + - name: nginx + image: nginx:latest + initContainers: + - name: init + image: busybox +--- +apiVersion: v1 +kind: Pod metadata: name: test-webservice-service-account-containers namespace: webservice @@ -41,6 +56,21 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-paas-service-account-containers + namespace: paas + labels: + osc.edu/service-account: test +spec: + containers: + - name: nginx + image: nginx:latest + initContainers: + - name: init + image: busybox +--- +apiVersion: v1 +kind: Pod metadata: name: test-webservice-service-account-skip namespace: user-test diff --git a/tests/kyverno-policies/add-service-account/variables.yaml b/tests/kyverno-policies/add-service-account/variables.yaml index 919fd707..5e445479 100644 --- a/tests/kyverno-policies/add-service-account/variables.yaml +++ b/tests/kyverno-policies/add-service-account/variables.yaml @@ -1,12 +1,12 @@ policies: - name: add-service-account rules: - - name: webservice-service-account-run-as + - name: service-account-run-as values: uidMap.data.user-test: '1000' gidMap.data.user-test: '1001' gidsMap.data.user-test: '["1001","1002"]' - - name: webservice-service-account-run-as-containers + - name: service-account-run-as-containers values: uidMap.data.user-test: '1000' gidMap.data.user-test: '1001' @@ -17,3 +17,6 @@ namespaceSelector: - name: webservice labels: osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/authorized-registries/kyverno-test.yaml b/tests/kyverno-policies/authorized-registries/kyverno-test.yaml index 2db4040b..6c842663 100644 --- a/tests/kyverno-policies/authorized-registries/kyverno-test.yaml +++ b/tests/kyverno-policies/authorized-registries/kyverno-test.yaml @@ -50,4 +50,27 @@ results: - test-fail-webservice kind: Pod namespace: webservice + result: fail + - policy: authorized-registries + rule: authorized-registries-paas + resources: + - test-skip-paas + kind: Pod + result: skip + - policy: authorized-registries + rule: authorized-registries-paas + resources: + - test-pass-paas + - test-pass2-paas + - test-pass3-paas + - test-pass-site-paas + kind: Pod + namespace: paas + result: pass + - policy: authorized-registries + rule: authorized-registries-paas + resources: + - test-fail-paas + kind: Pod + namespace: paas result: fail \ No newline at end of file diff --git a/tests/kyverno-policies/authorized-registries/resources.yaml b/tests/kyverno-policies/authorized-registries/resources.yaml index 8baf0926..fc6bd269 100644 --- a/tests/kyverno-policies/authorized-registries/resources.yaml +++ b/tests/kyverno-policies/authorized-registries/resources.yaml @@ -97,3 +97,63 @@ spec: containers: - name: nginx image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-skip-paas + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass-paas + namespace: paas +spec: + containers: + - name: nginx + image: docker-registry.osc.edu/paas/nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass2-paas + namespace: paas +spec: + containers: + - name: oauth2 + image: quay.io/oauth2-proxy/oauth2-proxy:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass3-paas + namespace: paas +spec: + containers: + - name: mysqld-exporter + image: docker-registry.osc.edu/kubernetes/bitnami/mysqld-exporter:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass-site-paas + namespace: paas +spec: + containers: + - name: nginx + image: docker-registry.osc.edu/nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-fail-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 diff --git a/tests/kyverno-policies/authorized-registries/variables.yaml b/tests/kyverno-policies/authorized-registries/variables.yaml index 7f090596..296831db 100644 --- a/tests/kyverno-policies/authorized-registries/variables.yaml +++ b/tests/kyverno-policies/authorized-registries/variables.yaml @@ -8,3 +8,6 @@ namespaceSelector: - name: webservice labels: osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml b/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml index db4dc44e..d6ea5ec0 100644 --- a/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml @@ -54,3 +54,28 @@ results: kind: Pod namespace: webservice result: fail + - policy: pod-nodeselector + rule: pod-nodeselector-paas + resources: + - test-paas-skip + kind: Pod + namespace: paas + result: skip + - policy: pod-nodeselector + rule: pod-nodeselector-paas + resources: + - test-paas-pass + - test-paas-pass2 + - test-paas-pass3 + - test-paas-pass-infra + kind: Pod + namespace: paas + result: pass + - policy: pod-nodeselector + rule: pod-nodeselector-paas + resources: + - test-paas-fail-omit + - test-paas-fail-mismatch + kind: Pod + namespace: paas + result: fail diff --git a/tests/kyverno-policies/pod-nodeselector/resources.yaml b/tests/kyverno-policies/pod-nodeselector/resources.yaml index 02178f6e..d927e688 100644 --- a/tests/kyverno-policies/pod-nodeselector/resources.yaml +++ b/tests/kyverno-policies/pod-nodeselector/resources.yaml @@ -133,3 +133,83 @@ spec: image: nginx:1.12 nodeSelector: osc.edu/role: ondemand +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-skip + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-pass + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + nodeSelector: + osc.edu/role: paas +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-pass2 + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + nodeSelector: + node-role.kubernetes.io/paas: '' +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-pass3 + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + nodeSelector: + node-role.kubernetes.io/infrastructure: '' +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-pass-infra + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + nodeSelector: + osc.edu/role: infrastructure +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-fail-omit + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-fail-mismatch + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + nodeSelector: + osc.edu/role: ondemand diff --git a/tests/kyverno-policies/pod-nodeselector/variables.yaml b/tests/kyverno-policies/pod-nodeselector/variables.yaml index 7f090596..296831db 100644 --- a/tests/kyverno-policies/pod-nodeselector/variables.yaml +++ b/tests/kyverno-policies/pod-nodeselector/variables.yaml @@ -8,3 +8,6 @@ namespaceSelector: - name: webservice labels: osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/pod-resources/kyverno-test.yaml b/tests/kyverno-policies/pod-resources/kyverno-test.yaml index 5a43f420..26458e56 100644 --- a/tests/kyverno-policies/pod-resources/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-resources/kyverno-test.yaml @@ -46,6 +46,20 @@ results: kind: Pod namespace: webservice result: fail + - policy: pod-resources + rule: pods-require-resources + resources: + - test-limits-pass-paas + kind: Pod + namespace: paas + result: pass + - policy: pod-resources + rule: pods-require-resources + resources: + - test-limits-memory-requests-fail-paas + kind: Pod + namespace: paas + result: fail - policy: pod-resources rule: pods-max-user-resources resources: @@ -61,6 +75,13 @@ results: kind: Pod namespace: webservice result: pass + - policy: pod-resources + rule: pods-max-user-resources + resources: + - test-limits-paas-pass-limits + kind: Pod + namespace: paas + result: pass - policy: pod-resources rule: pods-max-user-resources resources: @@ -84,6 +105,13 @@ results: kind: Pod namespace: webservice result: fail + - policy: pod-resources + rule: pods-max-user-resources + resources: + - test-limits-paas-fail-cpu-limits + kind: Pod + namespace: paas + result: fail - policy: pod-resources rule: pods-max-user-resources resources: @@ -108,3 +136,10 @@ results: kind: Pod namespace: webservice result: fail + - policy: pod-resources + rule: pods-max-user-resources + resources: + - test-limits-paas-fail-mem-limits + kind: Pod + namespace: paas + result: fail diff --git a/tests/kyverno-policies/pod-resources/resources.yaml b/tests/kyverno-policies/pod-resources/resources.yaml index e2f533cb..650efc7a 100644 --- a/tests/kyverno-policies/pod-resources/resources.yaml +++ b/tests/kyverno-policies/pod-resources/resources.yaml @@ -72,6 +72,23 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-limits-pass-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + resources: + limits: + cpu: 200m + memory: 128Mi + requests: + cpu: 100m + memory: 50Mi +--- +apiVersion: v1 +kind: Pod metadata: name: test-limits-memory-limits-fail namespace: user-test @@ -194,6 +211,22 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-limits-memory-requests-fail-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + resources: + limits: + cpu: 200m + memory: 128Mi + requests: + cpu: 100m +--- +apiVersion: v1 +kind: Pod metadata: name: test-limits-pass-cpu-limits1 namespace: user-test @@ -245,6 +278,23 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-limits-paas-pass-limits + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + resources: + limits: + cpu: 4 + memory: 8Gi + requests: + cpu: 500m + memory: 1Gi +--- +apiVersion: v1 +kind: Pod metadata: name: test-limits-with-init-pass-cpu-limits2 namespace: user-test @@ -306,6 +356,23 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-limits-paas-fail-cpu-limits + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + resources: + limits: + cpu: 10 + memory: 128Mi + requests: + cpu: 500m + memory: 50Mi +--- +apiVersion: v1 +kind: Pod metadata: name: test-limits-with-init-fail-cpu-limits1 namespace: user-test @@ -432,3 +499,20 @@ spec: requests: cpu: 500m memory: 4Gi +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-limits-paas-fail-mem-limits + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + resources: + limits: + cpu: 8 + memory: 64Gi + requests: + cpu: 500m + memory: 4Gi diff --git a/tests/kyverno-policies/pod-resources/variables.yaml b/tests/kyverno-policies/pod-resources/variables.yaml index 7f090596..296831db 100644 --- a/tests/kyverno-policies/pod-resources/variables.yaml +++ b/tests/kyverno-policies/pod-resources/variables.yaml @@ -8,3 +8,6 @@ namespaceSelector: - name: webservice labels: osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml index 51005bbf..8777c6a6 100644 --- a/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml @@ -16,21 +16,21 @@ results: - policy: pod-service-account-validation rule: pods-require-service-account resources: - - test-service-account-pass + - test-service-account-webservice-pass kind: Pod namespace: webservice result: pass - policy: pod-service-account-validation rule: pods-require-service-account resources: - - test-service-account-fail + - test-service-account-webservice-fail kind: Pod namespace: webservice result: fail - policy: pod-service-account-validation rule: pods-require-valid-service-account-uid resources: - - pods-require-valid-service-account-uid-pass + - pods-require-valid-service-account-webservice-uid-pass kind: Pod namespace: webservice result: pass @@ -44,24 +44,24 @@ results: - policy: pod-service-account-validation rule: pods-require-valid-service-account-uid resources: - - pods-require-valid-service-account-uid-skip-op + - pods-require-valid-service-account-webservice-uid-skip-op kind: Pod namespace: webservice result: skip - policy: pod-service-account-validation rule: pods-require-valid-service-account-uid resources: - - pods-require-valid-service-account-uid-container-pass - - pods-require-valid-service-account-uid-init-pass + - pods-require-valid-service-account-webservice-uid-container-pass + - pods-require-valid-service-account-webservice-uid-init-pass kind: Pod namespace: webservice result: pass - policy: pod-service-account-validation rule: pods-require-valid-service-account-uid resources: - - pods-require-valid-service-account-uid-fail - - pods-require-valid-service-account-uid-container-fail - - pods-require-valid-service-account-uid-init-fail + - pods-require-valid-service-account-webservice-uid-fail + - pods-require-valid-service-account-webservice-uid-container-fail + - pods-require-valid-service-account-webservice-uid-init-fail kind: Pod namespace: webservice result: fail @@ -75,25 +75,25 @@ results: - policy: pod-service-account-validation rule: pods-require-valid-service-account-gid resources: - - pods-require-valid-service-account-gid-skip-op + - pods-require-valid-service-account-webservice-gid-skip-op kind: Pod namespace: webservice result: skip - policy: pod-service-account-validation rule: pods-require-valid-service-account-gid resources: - - pods-require-valid-service-account-gid-pass - - pods-require-valid-service-account-gid-container-pass - - pods-require-valid-service-account-gid-init-pass + - pods-require-valid-service-account-webservice-gid-pass + - pods-require-valid-service-account-webservice-gid-container-pass + - pods-require-valid-service-account-webservice-gid-init-pass kind: Pod namespace: webservice result: pass - policy: pod-service-account-validation rule: pods-require-valid-service-account-gid resources: - - pods-require-valid-service-account-gid-fail - - pods-require-valid-service-account-gid-container-fail - - pods-require-valid-service-account-gid-init-fail + - pods-require-valid-service-account-webservice-gid-fail + - pods-require-valid-service-account-webservice-gid-container-fail + - pods-require-valid-service-account-webservice-gid-init-fail kind: Pod namespace: webservice result: fail @@ -107,21 +107,21 @@ results: - policy: pod-service-account-validation rule: fsgroup-require-valid-service-account-gid resources: - - fsgroup-require-valid-service-account-gid-skip-op + - fsgroup-require-valid-service-account-webservice-gid-skip-op kind: Pod namespace: webservice result: skip - policy: pod-service-account-validation rule: fsgroup-require-valid-service-account-gid resources: - - fsgroup-require-valid-service-account-gid-pass + - fsgroup-require-valid-service-account-webservice-gid-pass kind: Pod namespace: webservice result: pass - policy: pod-service-account-validation rule: fsgroup-require-valid-service-account-gid resources: - - fsgroup-require-valid-service-account-gid-fail + - fsgroup-require-valid-service-account-webservice-gid-fail kind: Pod namespace: webservice result: fail @@ -135,22 +135,135 @@ results: - policy: pod-service-account-validation rule: pods-service-account-authorized-for-groups resources: - - test-groups-skip-op - - test-groups-skip-len + - test-groups-webservice-skip-op + - test-groups-webservice-skip-len kind: Pod namespace: webservice result: skip - policy: pod-service-account-validation rule: pods-service-account-authorized-for-groups resources: - - test-groups-pass + - test-groups-webservice-pass kind: Pod namespace: webservice result: pass - policy: pod-service-account-validation rule: pods-service-account-authorized-for-groups resources: - - test-groups-fail + - test-groups-webservice-fail kind: Pod namespace: webservice result: fail + - policy: pod-service-account-validation + rule: pods-require-service-account + resources: + - test-service-account-paas-pass + kind: Pod + namespace: paas + result: pass + - policy: pod-service-account-validation + rule: pods-require-service-account + resources: + - test-service-account-paas-fail + kind: Pod + namespace: paas + result: fail + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-uid + resources: + - pods-require-valid-service-account-paas-uid-pass + kind: Pod + namespace: paas + result: pass + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-uid + resources: + - pods-require-valid-service-account-paas-uid-skip-op + kind: Pod + namespace: paas + result: skip + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-uid + resources: + - pods-require-valid-service-account-paas-uid-container-pass + - pods-require-valid-service-account-paas-uid-init-pass + kind: Pod + namespace: paas + result: pass + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-uid + resources: + - pods-require-valid-service-account-paas-uid-fail + - pods-require-valid-service-account-paas-uid-container-fail + - pods-require-valid-service-account-paas-uid-init-fail + kind: Pod + namespace: paas + result: fail + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-gid + resources: + - pods-require-valid-service-account-paas-gid-skip-op + kind: Pod + namespace: paas + result: skip + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-gid + resources: + - pods-require-valid-service-account-paas-gid-pass + - pods-require-valid-service-account-paas-gid-container-pass + - pods-require-valid-service-account-paas-gid-init-pass + kind: Pod + namespace: paas + result: pass + - policy: pod-service-account-validation + rule: pods-require-valid-service-account-gid + resources: + - pods-require-valid-service-account-paas-gid-fail + - pods-require-valid-service-account-paas-gid-container-fail + - pods-require-valid-service-account-paas-gid-init-fail + kind: Pod + namespace: paas + result: fail + - policy: pod-service-account-validation + rule: fsgroup-require-valid-service-account-gid + resources: + - fsgroup-require-valid-service-account-paas-gid-skip-op + kind: Pod + namespace: paas + result: skip + - policy: pod-service-account-validation + rule: fsgroup-require-valid-service-account-gid + resources: + - fsgroup-require-valid-service-account-paas-gid-pass + kind: Pod + namespace: paas + result: pass + - policy: pod-service-account-validation + rule: fsgroup-require-valid-service-account-gid + resources: + - fsgroup-require-valid-service-account-paas-gid-fail + kind: Pod + namespace: paas + result: fail + - policy: pod-service-account-validation + rule: pods-service-account-authorized-for-groups + resources: + - test-groups-paas-skip-op + - test-groups-paas-skip-len + kind: Pod + namespace: paas + result: skip + - policy: pod-service-account-validation + rule: pods-service-account-authorized-for-groups + resources: + - test-groups-paas-pass + kind: Pod + namespace: paas + result: pass + - policy: pod-service-account-validation + rule: pods-service-account-authorized-for-groups + resources: + - test-groups-paas-fail + kind: Pod + namespace: paas + result: fail diff --git a/tests/kyverno-policies/pod-service-account-validation/resources.yaml b/tests/kyverno-policies/pod-service-account-validation/resources.yaml index 69298914..2a8b91a2 100644 --- a/tests/kyverno-policies/pod-service-account-validation/resources.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/resources.yaml @@ -12,7 +12,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-service-account-pass + name: test-service-account-webservice-pass namespace: webservice labels: osc.edu/service-account: user @@ -24,7 +24,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-service-account-fail + name: test-service-account-webservice-fail namespace: webservice spec: containers: @@ -46,7 +46,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-skip-op + name: pods-require-valid-service-account-webservice-uid-skip-op namespace: webservice labels: osc.edu/service-account: test @@ -64,7 +64,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-pass + name: pods-require-valid-service-account-webservice-uid-pass namespace: webservice labels: osc.edu/service-account: test @@ -82,7 +82,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-container-pass + name: pods-require-valid-service-account-webservice-uid-container-pass namespace: webservice labels: osc.edu/service-account: test @@ -99,7 +99,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-init-pass + name: pods-require-valid-service-account-webservice-uid-init-pass namespace: webservice labels: osc.edu/service-account: test @@ -122,7 +122,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-fail + name: pods-require-valid-service-account-webservice-uid-fail namespace: webservice labels: osc.edu/service-account: test @@ -140,7 +140,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-container-fail + name: pods-require-valid-service-account-webservice-uid-container-fail namespace: webservice labels: osc.edu/service-account: test @@ -157,7 +157,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-uid-init-fail + name: pods-require-valid-service-account-webservice-uid-init-fail namespace: webservice labels: osc.edu/service-account: test @@ -192,7 +192,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-skip-op + name: pods-require-valid-service-account-webservice-gid-skip-op namespace: webservice labels: osc.edu/service-account: test @@ -210,7 +210,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-pass + name: pods-require-valid-service-account-webservice-gid-pass namespace: webservice labels: osc.edu/service-account: test @@ -228,7 +228,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-container-pass + name: pods-require-valid-service-account-webservice-gid-container-pass namespace: webservice labels: osc.edu/service-account: test @@ -245,7 +245,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-init-pass + name: pods-require-valid-service-account-webservice-gid-init-pass namespace: webservice labels: osc.edu/service-account: test @@ -268,7 +268,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-fail + name: pods-require-valid-service-account-webservice-gid-fail namespace: webservice labels: osc.edu/service-account: test @@ -286,7 +286,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-container-fail + name: pods-require-valid-service-account-webservice-gid-container-fail namespace: webservice labels: osc.edu/service-account: test @@ -303,7 +303,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: pods-require-valid-service-account-gid-init-fail + name: pods-require-valid-service-account-webservice-gid-init-fail namespace: webservice labels: osc.edu/service-account: test @@ -338,7 +338,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: fsgroup-require-valid-service-account-gid-skip-op + name: fsgroup-require-valid-service-account-webservice-gid-skip-op namespace: webservice labels: osc.edu/service-account: test @@ -356,7 +356,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: fsgroup-require-valid-service-account-gid-pass + name: fsgroup-require-valid-service-account-webservice-gid-pass namespace: webservice labels: osc.edu/service-account: test @@ -374,7 +374,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: fsgroup-require-valid-service-account-gid-fail + name: fsgroup-require-valid-service-account-webservice-gid-fail namespace: webservice labels: osc.edu/service-account: test @@ -402,7 +402,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-groups-skip-op + name: test-groups-webservice-skip-op namespace: webservice labels: osc.edu/service-account: test @@ -417,7 +417,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-groups-skip-len + name: test-groups-webservice-skip-len namespace: webservice labels: osc.edu/service-account: test @@ -431,7 +431,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-groups-pass + name: test-groups-webservice-pass namespace: webservice labels: osc.edu/service-account: test @@ -447,7 +447,7 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-groups-fail + name: test-groups-webservice-fail namespace: webservice labels: osc.edu/service-account: test @@ -458,3 +458,419 @@ spec: containers: - name: nginx image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-service-account-paas-pass + namespace: paas + labels: + osc.edu/service-account: user +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-service-account-paas-fail + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-skip + namespace: user-test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-skip-op + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-container-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1001 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-init-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + initContainers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1001 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1002 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-container-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1002 + runAsGroup: 1001 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-uid-init-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1002 + runAsGroup: 1001 + initContainers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1002 + runAsGroup: 1001 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-skip-op + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-container-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1001 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-init-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + initContainers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1001 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1003 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-container-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1003 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pods-require-valid-service-account-paas-gid-init-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1003 + initContainers: + - name: nginx + image: nginx:1.12 + securityContext: + runAsUser: 1000 + runAsGroup: 1003 +--- +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-require-valid-service-account-paas-gid-skip-op + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-require-valid-service-account-paas-gid-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1001 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: fsgroup-require-valid-service-account-paas-gid-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1001 + fsGroup: 1003 + supplementalGroups: [] + runAsNonRoot: true + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-groups-paas-skip-op + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: + - 1002 + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-groups-paas-skip-len + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: [] + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-groups-paas-pass + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: + - 1000 + - 1001 + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-groups-paas-fail + namespace: paas + labels: + osc.edu/service-account: test +spec: + securityContext: + supplementalGroups: + - 1002 + containers: + - name: nginx + image: nginx:1.12 diff --git a/tests/kyverno-policies/pod-service-account-validation/variables.yaml b/tests/kyverno-policies/pod-service-account-validation/variables.yaml index 960abb35..8d0e7d93 100644 --- a/tests/kyverno-policies/pod-service-account-validation/variables.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/variables.yaml @@ -17,76 +17,145 @@ policies: - name: pods-require-valid-service-account-uid-skip values: request.operation: CREATE - - name: pods-require-valid-service-account-uid-skip-op + - name: pods-require-valid-service-account-webservice-uid-skip-op values: request.operation: DELETE - - name: pods-require-valid-service-account-uid-pass + - name: pods-require-valid-service-account-webservice-uid-pass values: request.operation: CREATE - - name: pods-require-valid-service-account-uid-container-pass + - name: pods-require-valid-service-account-webservice-uid-container-pass values: request.operation: CREATE - - name: pods-require-valid-service-account-uid-init-pass + - name: pods-require-valid-service-account-webservice-uid-init-pass values: request.operation: CREATE - - name: pods-require-valid-service-account-uid-fail + - name: pods-require-valid-service-account-webservice-uid-fail values: request.operation: CREATE - - name: pods-require-valid-service-account-uid-container-fail + - name: pods-require-valid-service-account-webservice-uid-container-fail values: request.operation: CREATE - - name: pods-require-valid-service-account-uid-init-fail + - name: pods-require-valid-service-account-webservice-uid-init-fail values: request.operation: CREATE - name: pods-require-valid-service-account-gid-skip values: request.operation: CREATE - - name: pods-require-valid-service-account-gid-skip-op + - name: pods-require-valid-service-account-webservice-gid-skip-op values: request.operation: DELETE - - name: pods-require-valid-service-account-gid-pass + - name: pods-require-valid-service-account-webservice-gid-pass values: request.operation: CREATE - - name: pods-require-valid-service-account-gid-container-pass + - name: pods-require-valid-service-account-webservice-gid-container-pass values: request.operation: CREATE - - name: pods-require-valid-service-account-gid-init-pass + - name: pods-require-valid-service-account-webservice-gid-init-pass values: request.operation: CREATE - - name: pods-require-valid-service-account-gid-fail + - name: pods-require-valid-service-account-webservice-gid-fail values: request.operation: CREATE - - name: pods-require-valid-service-account-gid-container-fail + - name: pods-require-valid-service-account-webservice-gid-container-fail values: request.operation: CREATE - - name: pods-require-valid-service-account-gid-init-fail + - name: pods-require-valid-service-account-webservice-gid-init-fail values: request.operation: CREATE - name: fsgroup-require-valid-service-account-gid-skip values: request.operation: CREATE - - name: fsgroup-require-valid-service-account-gid-skip-op + - name: fsgroup-require-valid-service-account-webservice-gid-skip-op values: request.operation: DELETE - - name: fsgroup-require-valid-service-account-gid-pass + - name: fsgroup-require-valid-service-account-webservice-gid-pass values: request.operation: CREATE - - name: fsgroup-require-valid-service-account-gid-fail + - name: fsgroup-require-valid-service-account-webservice-gid-fail values: request.operation: CREATE - - name: test-groups-skip + - name: test-groups-webservice-skip values: request.operation: CREATE - - name: test-groups-skip-op + - name: test-groups-webservice-skip-op values: request.operation: DELETE - - name: test-groups-skip-len + - name: test-groups-webservice-skip-len values: request.operation: CREATE - - name: test-groups-pass + - name: test-groups-webservice-pass values: request.operation: CREATE - - name: test-groups-fail + - name: test-groups-webservice-fail + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-uid-skip-op + values: + request.operation: DELETE + - name: pods-require-valid-service-account-paas-uid-pass + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-uid-container-pass + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-uid-init-pass + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-uid-fail + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-uid-container-fail + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-uid-init-fail + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-gid-skip-op + values: + request.operation: DELETE + - name: pods-require-valid-service-account-paas-gid-pass + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-gid-container-pass + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-gid-init-pass + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-gid-fail + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-gid-container-fail + values: + request.operation: CREATE + - name: pods-require-valid-service-account-paas-gid-init-fail + values: + request.operation: CREATE + - name: fsgroup-require-valid-service-account-gid-skip + values: + request.operation: CREATE + - name: fsgroup-require-valid-service-account-paas-gid-skip-op + values: + request.operation: DELETE + - name: fsgroup-require-valid-service-account-paas-gid-pass + values: + request.operation: CREATE + - name: fsgroup-require-valid-service-account-paas-gid-fail + values: + request.operation: CREATE + - name: test-groups-paas-skip + values: + request.operation: CREATE + - name: test-groups-paas-skip-op + values: + request.operation: DELETE + - name: test-groups-paas-skip-len + values: + request.operation: CREATE + - name: test-groups-paas-pass + values: + request.operation: CREATE + - name: test-groups-paas-fail values: request.operation: CREATE namespaceSelector: @@ -96,3 +165,6 @@ namespaceSelector: - name: webservice labels: osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas diff --git a/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml b/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml index 44631dd5..f5acd51f 100644 --- a/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml +++ b/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml @@ -57,3 +57,32 @@ results: kind: Pod namespace: webservice result: pass + - policy: restrict-host-path + rule: paas-host-path + resources: + - test-skip-paas + kind: Pod + namespace: user-test + result: skip + - policy: restrict-host-path + rule: paas-host-path + resources: + - test-pass-paas + - test-no-hostpath-pass-paas + kind: Pod + namespace: paas + result: pass + - policy: restrict-host-path + rule: paas-host-path + resources: + - test-fail-paas + kind: Pod + namespace: paas + result: fail + - policy: restrict-host-path + rule: paas-host-path + resources: + - test-paas-mariadb + kind: Pod + namespace: paas + result: pass diff --git a/tests/kyverno-policies/restrict-host-path/resources.yaml b/tests/kyverno-policies/restrict-host-path/resources.yaml index 85dd0723..c58acd9d 100644 --- a/tests/kyverno-policies/restrict-host-path/resources.yaml +++ b/tests/kyverno-policies/restrict-host-path/resources.yaml @@ -169,3 +169,107 @@ spec: hostPath: path: /users/sysp/test type: Directory +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-skip-paas + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 + volumes: + - name: home + hostPath: + path: /home/test + type: Directory + - name: configmap + configMap: + name: config +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + volumes: + - name: configmap + configMap: + name: config + - name: home + hostPath: + path: /users/sysp/test + type: Directory +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-no-hostpath-pass-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + volumes: + - name: configmap + configMap: + name: config +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-fail-paas + namespace: paas +spec: + containers: + - name: nginx + image: nginx:1.12 + volumes: + - name: home + hostPath: + path: /etc/test + type: Directory + - name: configmap + configMap: + name: config +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass-paas-mariadb + namespace: paas + labels: + app.kubernetes.io/name: mariadb +spec: + containers: + - name: mariadb + image: nginx:1.12 + volumes: + - name: configmap + configMap: + name: config +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-mariadb + namespace: paas + labels: + app.kubernetes.io/name: mariadb +spec: + containers: + - name: mariadb + image: nginx:1.12 + volumes: + - name: configmap + configMap: + name: config + - name: home + hostPath: + path: /users/sysp/test + type: Directory diff --git a/tests/kyverno-policies/restrict-host-path/variables.yaml b/tests/kyverno-policies/restrict-host-path/variables.yaml index 7f090596..296831db 100644 --- a/tests/kyverno-policies/restrict-host-path/variables.yaml +++ b/tests/kyverno-policies/restrict-host-path/variables.yaml @@ -8,3 +8,6 @@ namespaceSelector: - name: webservice labels: osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas