feat: add miscellaneous policies in CEL expressions - Part 4 (#1033)

* copy check-supplemental-groups

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert check-supplemental-groups

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy restrict-adding-capabilities

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert restrict-adding-capabilities

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy restrict-runtimeClassName

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert restrict-runtimeClassName

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy block-velero-restore

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert block-velero-restore

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert block-velero-restore

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy validate-cron-schedule

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert validate-cron-schedule

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy block-tekton-task-runs

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for block-tekton-task-runs

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* remove unused resources

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert block-tekton-task-runs

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy require-tekton-bundle

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for require-tekton-bundle

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert require-tekton-bundle

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* copy require-tekton-namespace-pipelinerun

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add kyverno tests for require-tekton-namespace-pipelinerun

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* convert require-tekton-namespace-pipelinerun

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* rename files for clarity

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* add CI tests for cel folders

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* remove require-tekton-namespace-pipelinerun

Removing this cel policy because issue
kyverno/kyverno#10313
causes CI failure

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

* explicitly specify CREATE and UPDATE operations

Signed-off-by: Chandan-DK <chandandk468@gmail.com>

---------

Signed-off-by: Chandan-DK <chandandk468@gmail.com>
Signed-off-by: Chandan-DK <chandan.dk@nirmata.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>

.github/workflows/test.yml

@@ -57,9 +57,12 @@ jobs:
           - ^pod-security$
           - ^psa$
           - ^psp-migration$
+          - ^psp-migration-cel$
           - ^tekton$
+          - ^tekton-cel$
           - ^traefik$
           - ^velero$
+          - ^velero-cel$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
@@ -72,4 +75,4 @@ jobs:
       - name: Run Tests
         uses: ./.github/actions/run-tests
         with:
-          tests: ${{ matrix.tests }}
+          tests: ${{ matrix.tests }}

psp-migration-cel/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: check-supplemental-groups
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../check-supplemental-groups.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: psp-check-supplemental-groups
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml

psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  securityContext:
+    supplementalGroups:
+    - 120
+    - 230
+    - 550
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  securityContext:
+    supplementalGroups: 
+    - 1000
+    - 120
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  securityContext:
+    runAsGroup: 0
+    supplementalGroups:
+    - 580
+    - 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  securityContext:
+    supplementalGroups:
+    - 100
+    - 601
+    - 600
+    runAsGroup: 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35

psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  securityContext:
+    supplementalGroups: 
+    - 150
+    - 100
+    - 500
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod03
+spec:
+  securityContext:
+    supplementalGroups:
+    - 550
+    - 600
+    - 120
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod04
+spec:
+  securityContext:
+    runAsGroup: 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod05
+spec:
+  securityContext:
+    supplementalGroups: 
+    - 600
+    runAsGroup: 0
+  containers:
+  - name: busybox01
+    image: busybox:1.35

psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      securityContext:
+        supplementalGroups:
+        - 100
+        - 601
+        - 600
+        runAsGroup: 0
+      containers:
+      - name: busybox01
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          securityContext:
+            supplementalGroups: 
+            - 1000
+            - 120
+          containers:
+          - name: busybox01
+            image: busybox:1.35

psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gooddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      securityContext:
+        supplementalGroups: 
+        - 150
+        - 100
+        - 500
+      containers:
+      - name: busybox01
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          securityContext:
+            supplementalGroups:
+            - 550
+            - 600
+            - 120
+          containers:
+          - name: busybox01
+            image: busybox:1.35

psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psp-check-supplemental-groups
+status:
+  ready: true

psp-migration-cel/check-supplemental-groups/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: psp-check-supplemental-groups
+policies:
+- ../check-supplemental-groups.yaml
+resources:
+- resource.yaml
+results:
+- kind: Pod
+  policy: psp-check-supplemental-groups
+  resources:
+  - badpod01
+  result: fail
+  rule: supplementalgroup-ranges
+- kind: Pod
+  policy: psp-check-supplemental-groups
+  resources:
+  - goodpod01
+  result: pass
+  rule: supplementalgroup-ranges

psp-migration-cel/check-supplemental-groups/.kyverno-test/resource.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+  securityContext:
+    supplementalGroups:
+    - 0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+  securityContext:
+    supplementalGroups:
+    - 100

psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml

@@ -0,0 +1,23 @@
+name: check-supplemental-groups-cel
+version: 1.0.0
+displayName: Check supplementalGroups in CEL expressions
+description: >-
+  Supplemental groups control which group IDs containers add and can coincide with restricted groups on the host. Pod Security Policies (PSP) allowed a range of these group IDs to be specified which were allowed. This policy ensures any Pod may only specify supplementalGroup IDs between 100-200 or 500-600.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml
+  ```
+keywords:
+  - kyverno
+  - PSP Migration
+  - CEL Expressions
+readme: |
+  Supplemental groups control which group IDs containers add and can coincide with restricted groups on the host. Pod Security Policies (PSP) allowed a range of these group IDs to be specified which were allowed. This policy ensures any Pod may only specify supplementalGroup IDs between 100-200 or 500-600.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "PSP Migration in CEL"
+  kyverno/kubernetesVersion: "1.26-1.27"
+  kyverno/subject: "Pod"
+digest: 05135ed92926031b15d782552af3f8dbf8776014401328e186987344079fcc66
+createdAt: "2024-05-23T13:57:56Z"

psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml

@@ -0,0 +1,39 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psp-check-supplemental-groups
+  annotations:
+    policies.kyverno.io/title: Check supplementalGroups in CEL expressions
+    policies.kyverno.io/category: PSP Migration in CEL 
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.11.0
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Supplemental groups control which group IDs containers add and can coincide with
+      restricted groups on the host. Pod Security Policies (PSP) allowed a range of
+      these group IDs to be specified which were allowed. This policy ensures any Pod
+      may only specify supplementalGroup IDs between 100-200 or 500-600.
+spec:
+  background: false
+  validationFailureAction: Audit
+  rules:
+  - name: supplementalgroup-ranges
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+          operations:
+          - CREATE
+          - UPDATE
+    validate:
+      cel:
+        expressions:
+          - expression: >-
+              !has(object.spec.securityContext) ||
+              !has(object.spec.securityContext.supplementalGroups) ||
+              object.spec.securityContext.supplementalGroups.all(supplementalGroup, (supplementalGroup >= 100 && supplementalGroup <= 200) || (supplementalGroup >= 500 && supplementalGroup <= 600))
+            message: Any supplementalGroup ID must be within the range 100-200 or 500-600.
+