-
Notifications
You must be signed in to change notification settings - Fork 236
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add miscellaneous policies in CEL expressions - Part 4 (#1033)
* copy check-supplemental-groups Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert check-supplemental-groups Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy restrict-adding-capabilities Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert restrict-adding-capabilities Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy restrict-runtimeClassName Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert restrict-runtimeClassName Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy block-velero-restore Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert block-velero-restore Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert block-velero-restore Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy validate-cron-schedule Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert validate-cron-schedule Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy block-tekton-task-runs Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for block-tekton-task-runs Signed-off-by: Chandan-DK <chandandk468@gmail.com> * remove unused resources Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert block-tekton-task-runs Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy require-tekton-bundle Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for require-tekton-bundle Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert require-tekton-bundle Signed-off-by: Chandan-DK <chandandk468@gmail.com> * copy require-tekton-namespace-pipelinerun Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add kyverno tests for require-tekton-namespace-pipelinerun Signed-off-by: Chandan-DK <chandandk468@gmail.com> * convert require-tekton-namespace-pipelinerun Signed-off-by: Chandan-DK <chandandk468@gmail.com> * rename files for clarity Signed-off-by: Chandan-DK <chandandk468@gmail.com> * add CI tests for cel folders Signed-off-by: Chandan-DK <chandandk468@gmail.com> * remove require-tekton-namespace-pipelinerun Removing this cel policy because issue kyverno/kyverno#10313 causes CI failure Signed-off-by: Chandan-DK <chandandk468@gmail.com> * explicitly specify CREATE and UPDATE operations Signed-off-by: Chandan-DK <chandandk468@gmail.com> --------- Signed-off-by: Chandan-DK <chandandk468@gmail.com> Signed-off-by: Chandan-DK <chandan.dk@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com>
- Loading branch information
1 parent
52533f6
commit b125113
Showing
71 changed files
with
2,816 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
psp-migration-cel/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: check-supplemental-groups | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: ../check-supplemental-groups.yaml | ||
- patch: | ||
resource: | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: psp-check-supplemental-groups | ||
spec: | ||
validationFailureAction: Enforce | ||
- assert: | ||
file: policy-ready.yaml | ||
- name: step-02 | ||
try: | ||
- apply: | ||
file: pod-good.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: pod-bad.yaml | ||
- apply: | ||
file: podcontroller-good.yaml | ||
- apply: | ||
expect: | ||
- check: | ||
($error != null): true | ||
file: podcontroller-bad.yaml |
55 changes: 55 additions & 0 deletions
55
psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: badpod01 | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 120 | ||
- 230 | ||
- 550 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: badpod02 | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 1000 | ||
- 120 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: badpod03 | ||
spec: | ||
securityContext: | ||
runAsGroup: 0 | ||
supplementalGroups: | ||
- 580 | ||
- 0 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: badpod04 | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 100 | ||
- 601 | ||
- 600 | ||
runAsGroup: 0 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 |
60 changes: 60 additions & 0 deletions
60
psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod01 | ||
spec: | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod02 | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 150 | ||
- 100 | ||
- 500 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod03 | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 550 | ||
- 600 | ||
- 120 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod04 | ||
spec: | ||
securityContext: | ||
runAsGroup: 0 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod05 | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 600 | ||
runAsGroup: 0 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 |
42 changes: 42 additions & 0 deletions
42
psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: baddeployment01 | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: app | ||
template: | ||
metadata: | ||
labels: | ||
app: app | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 100 | ||
- 601 | ||
- 600 | ||
runAsGroup: 0 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: batch/v1 | ||
kind: CronJob | ||
metadata: | ||
name: badcronjob01 | ||
spec: | ||
schedule: "*/1 * * * *" | ||
jobTemplate: | ||
spec: | ||
template: | ||
spec: | ||
restartPolicy: OnFailure | ||
securityContext: | ||
supplementalGroups: | ||
- 1000 | ||
- 120 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 |
42 changes: 42 additions & 0 deletions
42
psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: gooddeployment01 | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: app | ||
template: | ||
metadata: | ||
labels: | ||
app: app | ||
spec: | ||
securityContext: | ||
supplementalGroups: | ||
- 150 | ||
- 100 | ||
- 500 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 | ||
--- | ||
apiVersion: batch/v1 | ||
kind: CronJob | ||
metadata: | ||
name: goodcronjob01 | ||
spec: | ||
schedule: "*/1 * * * *" | ||
jobTemplate: | ||
spec: | ||
template: | ||
spec: | ||
restartPolicy: OnFailure | ||
securityContext: | ||
supplementalGroups: | ||
- 550 | ||
- 600 | ||
- 120 | ||
containers: | ||
- name: busybox01 | ||
image: busybox:1.35 |
6 changes: 6 additions & 0 deletions
6
psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: psp-check-supplemental-groups | ||
status: | ||
ready: true |
21 changes: 21 additions & 0 deletions
21
psp-migration-cel/check-supplemental-groups/.kyverno-test/kyverno-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: cli.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: psp-check-supplemental-groups | ||
policies: | ||
- ../check-supplemental-groups.yaml | ||
resources: | ||
- resource.yaml | ||
results: | ||
- kind: Pod | ||
policy: psp-check-supplemental-groups | ||
resources: | ||
- badpod01 | ||
result: fail | ||
rule: supplementalgroup-ranges | ||
- kind: Pod | ||
policy: psp-check-supplemental-groups | ||
resources: | ||
- goodpod01 | ||
result: pass | ||
rule: supplementalgroup-ranges |
24 changes: 24 additions & 0 deletions
24
psp-migration-cel/check-supplemental-groups/.kyverno-test/resource.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: badpod01 | ||
spec: | ||
containers: | ||
- name: container01 | ||
image: dummyimagename | ||
securityContext: | ||
supplementalGroups: | ||
- 0 | ||
--- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: goodpod01 | ||
spec: | ||
containers: | ||
- name: container01 | ||
image: dummyimagename | ||
securityContext: | ||
supplementalGroups: | ||
- 100 |
23 changes: 23 additions & 0 deletions
23
psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
name: check-supplemental-groups-cel | ||
version: 1.0.0 | ||
displayName: Check supplementalGroups in CEL expressions | ||
description: >- | ||
Supplemental groups control which group IDs containers add and can coincide with restricted groups on the host. Pod Security Policies (PSP) allowed a range of these group IDs to be specified which were allowed. This policy ensures any Pod may only specify supplementalGroup IDs between 100-200 or 500-600. | ||
install: |- | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml | ||
``` | ||
keywords: | ||
- kyverno | ||
- PSP Migration | ||
- CEL Expressions | ||
readme: | | ||
Supplemental groups control which group IDs containers add and can coincide with restricted groups on the host. Pod Security Policies (PSP) allowed a range of these group IDs to be specified which were allowed. This policy ensures any Pod may only specify supplementalGroup IDs between 100-200 or 500-600. | ||
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
annotations: | ||
kyverno/category: "PSP Migration in CEL" | ||
kyverno/kubernetesVersion: "1.26-1.27" | ||
kyverno/subject: "Pod" | ||
digest: 05135ed92926031b15d782552af3f8dbf8776014401328e186987344079fcc66 | ||
createdAt: "2024-05-23T13:57:56Z" |
39 changes: 39 additions & 0 deletions
39
psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: psp-check-supplemental-groups | ||
annotations: | ||
policies.kyverno.io/title: Check supplementalGroups in CEL expressions | ||
policies.kyverno.io/category: PSP Migration in CEL | ||
policies.kyverno.io/severity: medium | ||
kyverno.io/kyverno-version: 1.11.0 | ||
policies.kyverno.io/minversion: 1.11.0 | ||
kyverno.io/kubernetes-version: "1.26-1.27" | ||
policies.kyverno.io/subject: Pod | ||
policies.kyverno.io/description: >- | ||
Supplemental groups control which group IDs containers add and can coincide with | ||
restricted groups on the host. Pod Security Policies (PSP) allowed a range of | ||
these group IDs to be specified which were allowed. This policy ensures any Pod | ||
may only specify supplementalGroup IDs between 100-200 or 500-600. | ||
spec: | ||
background: false | ||
validationFailureAction: Audit | ||
rules: | ||
- name: supplementalgroup-ranges | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- Pod | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
validate: | ||
cel: | ||
expressions: | ||
- expression: >- | ||
!has(object.spec.securityContext) || | ||
!has(object.spec.securityContext.supplementalGroups) || | ||
object.spec.securityContext.supplementalGroups.all(supplementalGroup, (supplementalGroup >= 100 && supplementalGroup <= 200) || (supplementalGroup >= 500 && supplementalGroup <= 600)) | ||
message: Any supplementalGroup ID must be within the range 100-200 or 500-600. | ||
Oops, something went wrong.