feat: add miscellaneous policies in CEL expressions - Part 3 (#1028)

* copy prevent-linkerd-pod-injection-override

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for prevent-linkerd-pod-injection-override

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert prevent-linkerd-pod-injection-override

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add metadata section to template

This is done in order to avoid no such key: metadata error in the
kyverno tests for the cel policy

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for prevent-linkerd-pod-injection-override in regular policy

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy prevent-linkerd-port-skipping

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* correct invalid chainsaw test resources to remove errors

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert prevent-linkerd-port-skipping

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy require-linkerd-mesh-injection

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for require-linkerd-mesh-injection

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert require-linkerd-mesh-injection

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy disallow-ingress-nginx-custom-snippets

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert disallow-ingress-nginx-custom-snippets

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy restrict-annotations

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert restrict-annotations

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy restrict-ingress-paths

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno test for one more failing condition

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert restrict-ingress-paths

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy check-routes

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert check-routes

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy disallow-deprecated-apis/

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert disallow-deprecated-apis

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy disallow-default-tlsoptions

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert disallow-default-tlsoptions

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy add-psa-namespace-reporting

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert add-psa-namespace-reporting

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy deny-privileged-profile

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert deny-privileged-profile

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for deny-privileged-profile

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy disallow-jenkins-pipeline-strategy

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert disallow-jenkins-pipeline-strategy

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy disallow-security-context-constraint-anyuid

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert disallow-security-context-constraint-anyuid

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy openshift-cel/disallow-self-provisioner-binding

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert disallow-self-provisioner-binding

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy enforce-etcd-encryption

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert enforce-etcd-encryption

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add CI tests for cel policies

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* remove comments for CI tests

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename files for clarity

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* specify CREATE and UPDATE operations explicitly

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* remove disallow-self-provisioner-binding as it gives errors that needs further investigation

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

---------

Signed-off-by: Chandan-DK <chandandk468@gmail.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

.github/workflows/test.yml

@@ -53,8 +53,11 @@ jobs:
           - ^kubeops$
           - ^kubevirt$
           - ^linkerd$
+          - ^linkerd-cel$
           - ^nginx-ingress$
+          - ^nginx-ingress-cel$
           - ^openshift$
+          - ^openshift-cel$
           - ^other$/^a
           - ^other-cel$/^a
           - ^other$/^[b-d]
@@ -72,10 +75,12 @@ jobs:
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$
+          - ^psa-cel$
           - ^psp-migration$
-          # - ^tekton
-          # - ^traefik
-          # - ^velero
+          - ^tekton$
+          - ^traefik$
+          - ^traefik-cel$
+          - ^velero$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:

linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    linkerd.io/inject: disabled
+  name: badpod01
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox

linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeploy01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+      annotations:
+        linkerd.io/inject: disabled
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            linkerd.io/inject: disabled
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure

linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: prevent-linkerd-pod-injection-override
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../prevent-linkerd-pod-injection-override.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: prevent-linkerd-pod-injection-override
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: good-pod.yaml
+    - apply:
+        file: good-podcontrollers.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-pod.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-podcontrollers.yaml

linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    linkerd.io/inject: enabled
+  name: goodpod01
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+      resources: {}

linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeploy01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeploy02
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+      annotations:
+        linkerd.io/inject: enabled
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: busybox
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob02
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            linkerd.io/inject: enabled
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure

linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: prevent-linkerd-pod-injection-override
+status:
+  ready: true

linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,51 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: prevent-linkerd-pod-injection-override
+policies:
+- ../prevent-linkerd-pod-injection-override.yaml
+resources:
+- ../.chainsaw-test/bad-pod.yaml
+- ../.chainsaw-test/bad-podcontrollers.yaml
+- ../.chainsaw-test/good-pod.yaml
+- ../.chainsaw-test/good-podcontrollers.yaml
+results:
+- policy: prevent-linkerd-pod-injection-override
+  rule: pod-injection-override
+  kind: Pod
+  resources:
+  - badpod01
+  result: fail
+- policy: prevent-linkerd-pod-injection-override
+  rule: pod-injection-override
+  kind: Deployment
+  resources:
+  - baddeploy01
+  result: fail
+- policy: prevent-linkerd-pod-injection-override
+  rule: pod-injection-override
+  kind: CronJob
+  resources:
+  - badcronjob01
+  result: fail
+- policy: prevent-linkerd-pod-injection-override
+  rule: pod-injection-override
+  kind: Pod
+  resources:
+  - goodpod01
+  - goodpod02
+  result: pass
+- policy: prevent-linkerd-pod-injection-override
+  rule: pod-injection-override
+  kind: Deployment
+  resources:
+  - gooddeploy01
+  - gooddeploy02
+  result: pass
+- policy: prevent-linkerd-pod-injection-override
+  rule: pod-injection-override
+  kind: CronJob
+  resources:
+  - goodcronjob01
+  - goodcronjob02
+  result: pass

linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml

@@ -0,0 +1,23 @@
+name: prevent-linkerd-pod-injection-override-cel
+version: 1.0.0
+displayName: Prevent Linkerd Pod Injection Override in CEL expressions
+description: >-
+  Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml
+  ```
+keywords:
+  - kyverno
+  - Linkerd
+  - CEL Expressions
+readme: |
+  Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Linkerd in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Pod"
+digest: 795a7d5ae06f9720bdbcc00ced965d1f7a28540c965628a47abc5621fb8d0033
+createdAt: "2024-05-21T15:39:18Z"

linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: prevent-linkerd-pod-injection-override
+  annotations:
+    policies.kyverno.io/title: Prevent Linkerd Pod Injection Override in CEL expressions
+    policies.kyverno.io/category: Linkerd in CEL 
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/description: >-
+      Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to
+      `disabled` may effectively disable mesh participation for that workload reducing
+      security and visibility. This policy prevents setting the annotation `linkerd.io/inject`
+      to `disabled` for Pods.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: pod-injection-override
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          operations:
+          - CREATE
+          - UPDATE
+    validate:
+      cel:
+        expressions:
+          - expression: "!has(object.metadata.annotations) || !('linkerd.io/inject' in object.metadata.annotations) || object.metadata.annotations['linkerd.io/inject'] != 'disabled'"
+            message: "Pods may not disable sidecar injection."
+

linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+    config.linkerd.io/skip-inbound-ports: "true"
+  name: badpod01
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    config.linkerd.io/skip-outbound-ports: "true"
+    foo: bar
+  name: badpod02
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+    config.linkerd.io/skip-outbound-ports: "true"
+    config.linkerd.io/skip-inbound-ports: "true"
+  name: badpod03
+spec:
+  containers:
+    - image: busybox:1.35
+      name: busybox