-
Notifications
You must be signed in to change notification settings - Fork 236
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add miscellaneous policies in CEL expressions - Part 3 (#1028)
* copy prevent-linkerd-pod-injection-override Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for prevent-linkerd-pod-injection-override Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert prevent-linkerd-pod-injection-override Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add metadata section to template This is done in order to avoid no such key: metadata error in the kyverno tests for the cel policy Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for prevent-linkerd-pod-injection-override in regular policy Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy prevent-linkerd-port-skipping Signed-off-by: Chandan-DK <chandandk468@gmail.com> * correct invalid chainsaw test resources to remove errors Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert prevent-linkerd-port-skipping Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy require-linkerd-mesh-injection Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for require-linkerd-mesh-injection Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert require-linkerd-mesh-injection Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy disallow-ingress-nginx-custom-snippets Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert disallow-ingress-nginx-custom-snippets Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy restrict-annotations Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert restrict-annotations Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy restrict-ingress-paths Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno test for one more failing condition Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert restrict-ingress-paths Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy check-routes Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert check-routes Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy disallow-deprecated-apis/ Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert disallow-deprecated-apis Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy disallow-default-tlsoptions Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert disallow-default-tlsoptions Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy add-psa-namespace-reporting Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert add-psa-namespace-reporting Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy deny-privileged-profile Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert deny-privileged-profile Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for deny-privileged-profile Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy disallow-jenkins-pipeline-strategy Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert disallow-jenkins-pipeline-strategy Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy disallow-security-context-constraint-anyuid Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert disallow-security-context-constraint-anyuid Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy openshift-cel/disallow-self-provisioner-binding Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert disallow-self-provisioner-binding Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy enforce-etcd-encryption Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert enforce-etcd-encryption Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add CI tests for cel policies Signed-off-by: Chandan-DK <chandandk468@gmail.com> * remove comments for CI tests Signed-off-by: Chandan-DK <chandandk468@gmail.com> * rename files for clarity Signed-off-by: Chandan-DK <chandandk468@gmail.com> * specify CREATE and UPDATE operations explicitly Signed-off-by: Chandan-DK <chandandk468@gmail.com> * remove disallow-self-provisioner-binding as it gives errors that needs further investigation Signed-off-by: Chandan-DK <chandandk468@gmail.com> --------- Signed-off-by: Chandan-DK <chandandk468@gmail.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
- Loading branch information
1 parent
7cff98b
commit 5bfc1aa
Showing
125 changed files
with
4,066 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
annotations: | ||
linkerd.io/inject: disabled | ||
name: badpod01 | ||
spec: | ||
containers: | ||
- image: busybox:1.35 | ||
name: busybox |
42 changes: 42 additions & 0 deletions
42
linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: busybox | ||
name: baddeploy01 | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: busybox | ||
template: | ||
metadata: | ||
labels: | ||
app: busybox | ||
annotations: | ||
linkerd.io/inject: disabled | ||
spec: | ||
containers: | ||
- name: busybox | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: batch/v1 | ||
kind: CronJob | ||
metadata: | ||
name: badcronjob01 | ||
spec: | ||
schedule: "* * * * *" | ||
jobTemplate: | ||
spec: | ||
template: | ||
metadata: | ||
annotations: | ||
linkerd.io/inject: disabled | ||
spec: | ||
containers: | ||
- name: hello | ||
image: busybox:1.35 | ||
command: | ||
- "sleep" | ||
- "3600" | ||
restartPolicy: OnFailure |
38 changes: 38 additions & 0 deletions
38
linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: prevent-linkerd-pod-injection-override | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: ../prevent-linkerd-pod-injection-override.yaml | ||
- patch: | ||
resource: | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: prevent-linkerd-pod-injection-override | ||
spec: | ||
validationFailureAction: Enforce | ||
- assert: | ||
file: policy-ready.yaml | ||
- name: step-02 | ||
try: | ||
- apply: | ||
file: good-pod.yaml | ||
- apply: | ||
file: good-podcontrollers.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: bad-pod.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: bad-podcontrollers.yaml |
20 changes: 20 additions & 0 deletions
20
linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
annotations: | ||
linkerd.io/inject: enabled | ||
name: goodpod01 | ||
spec: | ||
containers: | ||
- image: busybox:1.35 | ||
name: busybox | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod02 | ||
spec: | ||
containers: | ||
- image: busybox:1.35 | ||
name: busybox | ||
resources: {} |
83 changes: 83 additions & 0 deletions
83
linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: busybox | ||
name: gooddeploy01 | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: busybox | ||
template: | ||
metadata: | ||
labels: | ||
app: busybox | ||
spec: | ||
containers: | ||
- name: busybox | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: busybox | ||
name: gooddeploy02 | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: busybox | ||
template: | ||
metadata: | ||
labels: | ||
app: busybox | ||
annotations: | ||
linkerd.io/inject: enabled | ||
spec: | ||
containers: | ||
- name: busybox | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: batch/v1 | ||
kind: CronJob | ||
metadata: | ||
name: goodcronjob01 | ||
spec: | ||
schedule: "* * * * *" | ||
jobTemplate: | ||
spec: | ||
template: | ||
metadata: | ||
labels: | ||
app: busybox | ||
spec: | ||
containers: | ||
- name: hello | ||
image: busybox:1.35 | ||
command: | ||
- "sleep" | ||
- "3600" | ||
restartPolicy: OnFailure | ||
--- | ||
apiVersion: batch/v1 | ||
kind: CronJob | ||
metadata: | ||
name: goodcronjob02 | ||
spec: | ||
schedule: "* * * * *" | ||
jobTemplate: | ||
spec: | ||
template: | ||
metadata: | ||
annotations: | ||
linkerd.io/inject: enabled | ||
spec: | ||
containers: | ||
- name: hello | ||
image: busybox:1.35 | ||
command: | ||
- "sleep" | ||
- "3600" | ||
restartPolicy: OnFailure |
6 changes: 6 additions & 0 deletions
6
linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: prevent-linkerd-pod-injection-override | ||
status: | ||
ready: true |
51 changes: 51 additions & 0 deletions
51
linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
apiVersion: cli.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: prevent-linkerd-pod-injection-override | ||
policies: | ||
- ../prevent-linkerd-pod-injection-override.yaml | ||
resources: | ||
- ../.chainsaw-test/bad-pod.yaml | ||
- ../.chainsaw-test/bad-podcontrollers.yaml | ||
- ../.chainsaw-test/good-pod.yaml | ||
- ../.chainsaw-test/good-podcontrollers.yaml | ||
results: | ||
- policy: prevent-linkerd-pod-injection-override | ||
rule: pod-injection-override | ||
kind: Pod | ||
resources: | ||
- badpod01 | ||
result: fail | ||
- policy: prevent-linkerd-pod-injection-override | ||
rule: pod-injection-override | ||
kind: Deployment | ||
resources: | ||
- baddeploy01 | ||
result: fail | ||
- policy: prevent-linkerd-pod-injection-override | ||
rule: pod-injection-override | ||
kind: CronJob | ||
resources: | ||
- badcronjob01 | ||
result: fail | ||
- policy: prevent-linkerd-pod-injection-override | ||
rule: pod-injection-override | ||
kind: Pod | ||
resources: | ||
- goodpod01 | ||
- goodpod02 | ||
result: pass | ||
- policy: prevent-linkerd-pod-injection-override | ||
rule: pod-injection-override | ||
kind: Deployment | ||
resources: | ||
- gooddeploy01 | ||
- gooddeploy02 | ||
result: pass | ||
- policy: prevent-linkerd-pod-injection-override | ||
rule: pod-injection-override | ||
kind: CronJob | ||
resources: | ||
- goodcronjob01 | ||
- goodcronjob02 | ||
result: pass |
23 changes: 23 additions & 0 deletions
23
linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
name: prevent-linkerd-pod-injection-override-cel | ||
version: 1.0.0 | ||
displayName: Prevent Linkerd Pod Injection Override in CEL expressions | ||
description: >- | ||
Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. | ||
install: |- | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml | ||
``` | ||
keywords: | ||
- kyverno | ||
- Linkerd | ||
- CEL Expressions | ||
readme: | | ||
Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. | ||
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
annotations: | ||
kyverno/category: "Linkerd in CEL" | ||
kyverno/kubernetesVersion: "1.26-1.27" | ||
kyverno/subject: "Pod" | ||
digest: 795a7d5ae06f9720bdbcc00ced965d1f7a28540c965628a47abc5621fb8d0033 | ||
createdAt: "2024-05-21T15:39:18Z" |
35 changes: 35 additions & 0 deletions
35
...rd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: prevent-linkerd-pod-injection-override | ||
annotations: | ||
policies.kyverno.io/title: Prevent Linkerd Pod Injection Override in CEL expressions | ||
policies.kyverno.io/category: Linkerd in CEL | ||
policies.kyverno.io/severity: medium | ||
policies.kyverno.io/subject: Pod | ||
kyverno.io/kyverno-version: 1.11.0 | ||
kyverno.io/kubernetes-version: "1.26-1.27" | ||
policies.kyverno.io/description: >- | ||
Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to | ||
`disabled` may effectively disable mesh participation for that workload reducing | ||
security and visibility. This policy prevents setting the annotation `linkerd.io/inject` | ||
to `disabled` for Pods. | ||
spec: | ||
validationFailureAction: Audit | ||
background: true | ||
rules: | ||
- name: pod-injection-override | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- Pod | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
validate: | ||
cel: | ||
expressions: | ||
- expression: "!has(object.metadata.annotations) || !('linkerd.io/inject' in object.metadata.annotations) || object.metadata.annotations['linkerd.io/inject'] != 'disabled'" | ||
message: "Pods may not disable sidecar injection." | ||
|
36 changes: 36 additions & 0 deletions
36
linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
annotations: | ||
foo: bar | ||
config.linkerd.io/skip-inbound-ports: "true" | ||
name: badpod01 | ||
spec: | ||
containers: | ||
- image: busybox:1.35 | ||
name: busybox | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
annotations: | ||
config.linkerd.io/skip-outbound-ports: "true" | ||
foo: bar | ||
name: badpod02 | ||
spec: | ||
containers: | ||
- image: busybox:1.35 | ||
name: busybox | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
annotations: | ||
foo: bar | ||
config.linkerd.io/skip-outbound-ports: "true" | ||
config.linkerd.io/skip-inbound-ports: "true" | ||
name: badpod03 | ||
spec: | ||
containers: | ||
- image: busybox:1.35 | ||
name: busybox |
Oops, something went wrong.