diff --git a/.chainsaw.yaml b/.chainsaw.yaml index b0ecc8115..946fb50d0 100755 --- a/.chainsaw.yaml +++ b/.chainsaw.yaml @@ -16,4 +16,4 @@ spec: fullName: true forceTerminationGracePeriod: 5s delayBeforeCleanup: 3s - + template: false \ No newline at end of file diff --git a/.chainsaw/crds/vpa.yaml b/.chainsaw/crds/vpa.yaml deleted file mode 100644 index 93092ee1e..000000000 --- a/.chainsaw/crds/vpa.yaml +++ /dev/null @@ -1,786 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: verticalpodautoscalercheckpoints.autoscaling.k8s.io -spec: - group: autoscaling.k8s.io - names: - kind: VerticalPodAutoscalerCheckpoint - listKind: VerticalPodAutoscalerCheckpointList - plural: verticalpodautoscalercheckpoints - shortNames: - - vpacheckpoint - singular: verticalpodautoscalercheckpoint - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal - state of VPA that is used for recovery after recommender's restart. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' - properties: - containerName: - description: Name of the checkpointed container. - type: string - vpaObjectName: - description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint - object. - type: string - type: object - status: - description: Data of the checkpoint. - properties: - cpuHistogram: - description: Checkpoint of histogram for consumption of CPU. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - firstSampleStart: - description: Timestamp of the fist sample from the histograms. - format: date-time - nullable: true - type: string - lastSampleStart: - description: Timestamp of the last sample from the histograms. - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The time when the status was last refreshed. - format: date-time - nullable: true - type: string - memoryHistogram: - description: Checkpoint of histogram for consumption of memory. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - totalSamplesCount: - description: Total number of samples in the histograms. - type: integer - version: - description: Version of the format of the stored data. - type: string - type: object - type: object - served: true - storage: true - - name: v1beta2 - schema: - openAPIV3Schema: - description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal - state of VPA that is used for recovery after recommender's restart. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' - properties: - containerName: - description: Name of the checkpointed container. - type: string - vpaObjectName: - description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint - object. - type: string - type: object - status: - description: Data of the checkpoint. - properties: - cpuHistogram: - description: Checkpoint of histogram for consumption of CPU. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - firstSampleStart: - description: Timestamp of the fist sample from the histograms. - format: date-time - nullable: true - type: string - lastSampleStart: - description: Timestamp of the last sample from the histograms. - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The time when the status was last refreshed. - format: date-time - nullable: true - type: string - memoryHistogram: - description: Checkpoint of histogram for consumption of memory. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - totalSamplesCount: - description: Total number of samples in the histograms. - type: integer - version: - description: Version of the format of the stored data. - type: string - type: object - type: object - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 - controller-gen.kubebuilder.io/version: v0.9.2 - creationTimestamp: null - name: verticalpodautoscalers.autoscaling.k8s.io -spec: - group: autoscaling.k8s.io - names: - kind: VerticalPodAutoscaler - listKind: VerticalPodAutoscalerList - plural: verticalpodautoscalers - shortNames: - - vpa - singular: verticalpodautoscaler - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.updatePolicy.updateMode - name: Mode - type: string - - jsonPath: .status.recommendation.containerRecommendations[0].target.cpu - name: CPU - type: string - - jsonPath: .status.recommendation.containerRecommendations[0].target.memory - name: Mem - type: string - - jsonPath: .status.conditions[?(@.type=='RecommendationProvided')].status - name: Provided - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VerticalPodAutoscaler is the configuration for a vertical pod - autoscaler, which automatically manages pod resources based on historical - and real time resource utilization. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the behavior of the autoscaler. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' - properties: - recommenders: - description: Recommender responsible for generating recommendation - for this object. List should be empty (then the default recommender - will generate the recommendation) or contain exactly one recommender. - items: - description: VerticalPodAutoscalerRecommenderSelector points to - a specific Vertical Pod Autoscaler recommender. In the future - it might pass parameters to the recommender. - properties: - name: - description: Name of the recommender responsible for generating - recommendation for this object. - type: string - required: - - name - type: object - type: array - resourcePolicy: - description: Controls how the autoscaler computes recommended resources. - The resource policy may be used to set constraints on the recommendations - for individual containers. If not specified, the autoscaler computes - recommended resources for all containers in the pod, without additional - constraints. - properties: - containerPolicies: - description: Per-container resource policies. - items: - description: ContainerResourcePolicy controls how autoscaler - computes the recommended resources for a specific container. - properties: - containerName: - description: Name of the container or DefaultContainerResourcePolicy, - in which case the policy is used by the containers that - don't have their own policy specified. - type: string - controlledResources: - description: Specifies the type of recommendations that - will be computed (and possibly applied) by VPA. If not - specified, the default of [ResourceCPU, ResourceMemory] - will be used. - items: - description: ResourceName is the name identifying various - resources in a ResourceList. - type: string - type: array - controlledValues: - description: Specifies which resource values should be controlled. - The default is "RequestsAndLimits". - enum: - - RequestsAndLimits - - RequestsOnly - type: string - maxAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the maximum amount of resources that - will be recommended for the container. The default is - no maximum. - type: object - minAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the minimal amount of resources that - will be recommended for the container. The default is - no minimum. - type: object - mode: - description: Whether autoscaler is enabled for the container. - The default is "Auto". - enum: - - Auto - - "Off" - type: string - type: object - type: array - type: object - targetRef: - description: TargetRef points to the controller managing the set of - pods for the autoscaler to control - e.g. Deployment, StatefulSet. - VerticalPodAutoscaler can be targeted at controller implementing - scale subresource (the pod set is retrieved from the controller's - ScaleStatus) or some well known controllers (e.g. for DaemonSet - the pod set is read from the controller's spec). If VerticalPodAutoscaler - cannot use specified target it will report ConfigUnsupported condition. - Note that VerticalPodAutoscaler does not require full implementation - of scale subresource - it will not use it to modify the replica - count. The only thing retrieved is a label selector matching pods - grouped by the target resource. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - updatePolicy: - description: Describes the rules on how changes are applied to the - pods. If not specified, all fields in the `PodUpdatePolicy` are - set to their default values. - properties: - evictionRequirements: - description: EvictionRequirements is a list of EvictionRequirements - that need to evaluate to true in order for a Pod to be evicted. - If more than one EvictionRequirement is specified, all of them - need to be fulfilled to allow eviction. - items: - description: EvictionRequirement defines a single condition - which needs to be true in order to evict a Pod - properties: - changeRequirement: - description: EvictionChangeRequirement refers to the relationship - between the new target recommendation for a Pod and its - current requests, what kind of change is necessary for - the Pod to be evicted - enum: - - TargetHigherThanRequests - - TargetLowerThanRequests - type: string - resource: - description: Resources is a list of one or more resources - that the condition applies to. If more than one resource - is given, the EvictionRequirement is fulfilled if at least - one resource meets `changeRequirement`. - items: - description: ResourceName is the name identifying various - resources in a ResourceList. - type: string - type: array - required: - - changeRequirement - - resource - type: object - type: array - minReplicas: - description: Minimal number of replicas which need to be alive - for Updater to attempt pod eviction (pending other checks like - PDB). Only positive values are allowed. Overrides global '--min-replicas' - flag. - format: int32 - type: integer - updateMode: - description: Controls when autoscaler applies changes to the pod - resources. The default is 'Auto'. - enum: - - "Off" - - Initial - - Recreate - - Auto - type: string - type: object - required: - - targetRef - type: object - status: - description: Current information about the autoscaler. - properties: - conditions: - description: Conditions is the set of conditions required for this - autoscaler to scale its target, and indicates whether or not those - conditions are met. - items: - description: VerticalPodAutoscalerCondition describes the state - of a VerticalPodAutoscaler at a certain point. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another - format: date-time - type: string - message: - description: message is a human-readable explanation containing - details about the transition - type: string - reason: - description: reason is the reason for the condition's last transition. - type: string - status: - description: status is the status of the condition (True, False, - Unknown) - type: string - type: - description: type describes the current condition - type: string - required: - - status - - type - type: object - type: array - recommendation: - description: The most recently computed amount of resources recommended - by the autoscaler for the controlled pods. - properties: - containerRecommendations: - description: Resources recommended by the autoscaler for each - container. - items: - description: RecommendedContainerResources is the recommendation - of resources computed by autoscaler for a specific container. - Respects the container resource policy if present in the spec. - In particular the recommendation is not produced for containers - with `ContainerScalingMode` set to 'Off'. - properties: - containerName: - description: Name of the container. - type: string - lowerBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Minimum recommended amount of resources. Observes - ContainerResourcePolicy. This amount is not guaranteed - to be sufficient for the application to operate in a stable - way, however running with less resources is likely to - have significant impact on performance/availability. - type: object - target: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Recommended amount of resources. Observes ContainerResourcePolicy. - type: object - uncappedTarget: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: The most recent recommended resources target - computed by the autoscaler for the controlled pods, based - only on actual resource usage, not taking into account - the ContainerResourcePolicy. May differ from the Recommendation - if the actual resource usage causes the target to violate - the ContainerResourcePolicy (lower than MinAllowed or - higher that MaxAllowed). Used only as status indication, - will not affect actual resource assignment. - type: object - upperBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Maximum recommended amount of resources. Observes - ContainerResourcePolicy. Any resources allocated beyond - this value are likely wasted. This value may be larger - than the maximum amount of application is actually capable - of consuming. - type: object - required: - - target - type: object - type: array - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: autoscaling.k8s.io/v1beta2 API is deprecated - name: v1beta2 - schema: - openAPIV3Schema: - description: VerticalPodAutoscaler is the configuration for a vertical pod - autoscaler, which automatically manages pod resources based on historical - and real time resource utilization. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the behavior of the autoscaler. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' - properties: - resourcePolicy: - description: Controls how the autoscaler computes recommended resources. - The resource policy may be used to set constraints on the recommendations - for individual containers. If not specified, the autoscaler computes - recommended resources for all containers in the pod, without additional - constraints. - properties: - containerPolicies: - description: Per-container resource policies. - items: - description: ContainerResourcePolicy controls how autoscaler - computes the recommended resources for a specific container. - properties: - containerName: - description: Name of the container or DefaultContainerResourcePolicy, - in which case the policy is used by the containers that - don't have their own policy specified. - type: string - maxAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the maximum amount of resources that - will be recommended for the container. The default is - no maximum. - type: object - minAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Specifies the minimal amount of resources that - will be recommended for the container. The default is - no minimum. - type: object - mode: - description: Whether autoscaler is enabled for the container. - The default is "Auto". - enum: - - Auto - - "Off" - type: string - type: object - type: array - type: object - targetRef: - description: TargetRef points to the controller managing the set of - pods for the autoscaler to control - e.g. Deployment, StatefulSet. - VerticalPodAutoscaler can be targeted at controller implementing - scale subresource (the pod set is retrieved from the controller's - ScaleStatus) or some well known controllers (e.g. for DaemonSet - the pod set is read from the controller's spec). If VerticalPodAutoscaler - cannot use specified target it will report ConfigUnsupported condition. - Note that VerticalPodAutoscaler does not require full implementation - of scale subresource - it will not use it to modify the replica - count. The only thing retrieved is a label selector matching pods - grouped by the target resource. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - updatePolicy: - description: Describes the rules on how changes are applied to the - pods. If not specified, all fields in the `PodUpdatePolicy` are - set to their default values. - properties: - updateMode: - description: Controls when autoscaler applies changes to the pod - resources. The default is 'Auto'. - enum: - - "Off" - - Initial - - Recreate - - Auto - type: string - type: object - required: - - targetRef - type: object - status: - description: Current information about the autoscaler. - properties: - conditions: - description: Conditions is the set of conditions required for this - autoscaler to scale its target, and indicates whether or not those - conditions are met. - items: - description: VerticalPodAutoscalerCondition describes the state - of a VerticalPodAutoscaler at a certain point. - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another - format: date-time - type: string - message: - description: message is a human-readable explanation containing - details about the transition - type: string - reason: - description: reason is the reason for the condition's last transition. - type: string - status: - description: status is the status of the condition (True, False, - Unknown) - type: string - type: - description: type describes the current condition - type: string - required: - - status - - type - type: object - type: array - recommendation: - description: The most recently computed amount of resources recommended - by the autoscaler for the controlled pods. - properties: - containerRecommendations: - description: Resources recommended by the autoscaler for each - container. - items: - description: RecommendedContainerResources is the recommendation - of resources computed by autoscaler for a specific container. - Respects the container resource policy if present in the spec. - In particular the recommendation is not produced for containers - with `ContainerScalingMode` set to 'Off'. - properties: - containerName: - description: Name of the container. - type: string - lowerBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Minimum recommended amount of resources. Observes - ContainerResourcePolicy. This amount is not guaranteed - to be sufficient for the application to operate in a stable - way, however running with less resources is likely to - have significant impact on performance/availability. - type: object - target: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Recommended amount of resources. Observes ContainerResourcePolicy. - type: object - uncappedTarget: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: The most recent recommended resources target - computed by the autoscaler for the controlled pods, based - only on actual resource usage, not taking into account - the ContainerResourcePolicy. May differ from the Recommendation - if the actual resource usage causes the target to violate - the ContainerResourcePolicy (lower than MinAllowed or - higher that MaxAllowed). Used only as status indication, - will not affect actual resource assignment. - type: object - upperBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Maximum recommended amount of resources. Observes - ContainerResourcePolicy. Any resources allocated beyond - this value are likely wasted. This value may be larger - than the maximum amount of application is actually capable - of consuming. - type: object - required: - - target - type: object - type: array - type: object - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index eb3bf8a23..651ff640a 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -13,12 +13,11 @@ body: label: Kyverno Version description: What version of Kyverno are you running? options: - - "1.7" - - "1.8" - - "1.9" - - "1.10" - - "1.11" - - "1.12" + - 1.6.x + - 1.7.x + - 1.8.x + - 1.9.x + - 1.10.x validations: required: true - type: dropdown @@ -27,16 +26,14 @@ body: label: Kubernetes Version description: What version of Kubernetes are you running? options: - - "1.20" - - "1.21" - - "1.22" - - "1.23" - - "1.24" - - "1.25" - - "1.26" - - "1.27" - - "1.28" - - "1.29" + - 1.20.x + - 1.21.x + - 1.22.x + - 1.23.x + - 1.24.x + - 1.25.x + - 1.26.x + - 1.27.x validations: required: true - type: dropdown diff --git a/.github/actions/run-tests/action.yaml b/.github/actions/run-tests/action.yaml deleted file mode 100644 index e33289a1f..000000000 --- a/.github/actions/run-tests/action.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: "Runs E2E Tests" -description: "Runs E2E tests using chainsaw" -inputs: - tests: - description: "Test regex" - required: true -runs: - using: "composite" - steps: - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@b2f61a8d0459a65c476ac802514d88e1612b3396 # v0.2.9 - with: - verify: true - - name: Test with Chainsaw - shell: bash - run: | - set -e - chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false diff --git a/.github/actions/setup-env/action.yaml b/.github/actions/setup-env/action.yaml deleted file mode 100644 index 8bdbd708a..000000000 --- a/.github/actions/setup-env/action.yaml +++ /dev/null @@ -1,51 +0,0 @@ -name: "Setup Environment for E2E Tests" -description: "Sets up the environment for the E2E workflows" -inputs: - k8s-version: - description: "Kubernetes version" - required: true -runs: - using: "composite" - steps: - - name: Setup Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ~1.21.1 - - name: Install Tools - shell: bash - run: | - set -e - curl -LO "https://dl.k8s.io/release/${{ inputs.k8s-version }}/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Install kind - shell: bash - run: | - set -e - # For AMD64 / x86_64 - [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 - # For ARM64 - [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Install latest Kyverno CLI - uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - name: Create kind cluster - shell: bash - run: | - set -e - kind create cluster --image kindest/node:${{ inputs.k8s-version }} --config ./.github/kind.yml - - name: Install latest kyverno - shell: bash - run: | - set -e - kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml - - name: Wait for kyverno ready - shell: bash - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s - - name: Install CRDs - shell: bash - run: | - set -e - kubectl apply -f ./.chainsaw/crds diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 980b164e5..86a2b2050 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,8 +1,6 @@ version: 2 updates: - package-ecosystem: github-actions - directories: - - / - - /.github/actions/*/ + directory: / schedule: interval: daily \ No newline at end of file diff --git a/.github/kind.yml b/.github/kind.yml index 1f6e2eee6..9438061e5 100644 --- a/.github/kind.yml +++ b/.github/kind.yml @@ -1,7 +1,5 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 -featureGates: - ProcMountType: true kubeadmConfigPatches: - |- kind: ClusterConfiguration diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml deleted file mode 100644 index ea42bfd75..000000000 --- a/.github/workflows/cel-test.yml +++ /dev/null @@ -1,66 +0,0 @@ -name: E2E Tests - CEL - -permissions: {} - -on: - workflow_dispatch: {} - pull_request: - branches: - - 'main' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - chainsaw: - strategy: - fail-fast: false - matrix: - k8s-version: - - name: v1.28 - version: v1.28.13 - - name: v1.29 - version: v1.29.8 - - name: v1.30 - version: v1.30.4 - - name: v1.31 - version: v1.31.0 - tests: - - ^argo-cel$ - - ^aws-cel$ - - ^best-practices-cel$ - - ^consul-cel$ - - ^flux-cel$ - - ^istio-cel$ - - ^kasten-cel$ - - ^kubecost-cel$ - - ^linkerd-cel$ - - ^nginx-ingress-cel$ - - ^openshift-cel$ - - ^other-cel$/^a - - ^other-cel$/^[b-d] - - ^other-cel$/^[e-l] - - ^other-cel$/^[m-q] - - ^other-cel$/^re[c-q] - - ^other-cel$/^res - - ^other-cel$/^[s-z] - - ^pod-security-cel$ - - ^psa-cel$ - - ^psp-migration-cel$ - - ^traefik-cel$ - - ^tekton-cel$ - - ^velero-cel$ - runs-on: ubuntu-latest - name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version.version }} - - name: Run CEL Tests - uses: ./.github/actions/run-tests - with: - tests: ${{ matrix.tests }} diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml index 8149e8105..3ee1b8d45 100644 --- a/.github/workflows/check-actions.yaml +++ b/.github/workflows/check-actions.yaml @@ -16,9 +16,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@0901cf7b71c7ea6261ec69a3dc2bd3f9264f893e # v3.0.12 + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3 with: allowlist: | kyverno/chainsaw diff --git a/.github/workflows/check-codegen.yml b/.github/workflows/check-codegen.yml deleted file mode 100644 index 8bc48606f..000000000 --- a/.github/workflows/check-codegen.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Verify codegen - -permissions: {} - -on: - pull_request: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - verify-e2e-workflow: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: .hack/chainsaw-matrix/go.mod - cache-dependency-path: .hack/chainsaw-matrix/go.sum - - name: Generate workflow - run: | - set -e - (cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml) - - name: Check diff - run: | - set -e - git --no-pager diff . - git diff --quiet --exit-code . diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 056dd9607..83d35e6d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,38 +16,25 @@ concurrency: cancel-in-progress: true jobs: - artifacthub-lint: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - path: policies - - name: Run ah lint - working-directory: . - run: ah lint -k kyverno test: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: policies - name: Validate all policies run: ./.hack/verify-files-structure.sh working-directory: policies - name: Clone Kyverno - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: kyverno/kyverno path: kyverno # The target branch of a pull request or the branch/tag of a push ref: ${{ github.base_ref || github.ref_name }} - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ~1.21.1 - name: Test Policy @@ -58,18 +45,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: policies - name: Checkout Kyverno - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: kyverno/kyverno path: kyverno # The target branch of a pull request or the branch/tag of a push ref: ${{ github.base_ref || github.ref_name }} - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ~1.21.1 - name: Lint policies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bc8a7d075..9ca5040bd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,8 +1,3 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -# to update the workflow jobs, run the script below from the repository root: -# `(cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)` - name: E2E Tests permissions: {} @@ -11,841 +6,108 @@ on: workflow_dispatch: {} pull_request: branches: - - 'main' + - main + - release-* concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: - argo: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^argo$/^(application-field-validation|application-prevent-default-project|application-prevent-updates-project|applicationset-name-matches-project|appproject-clusterresourceblacklist|argo-cluster-generation-from-rancher-capi)$ - aws: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^aws$/^(require-encryption-aws-loadbalancers)$ - best-practices: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^best-practices$/^(add-network-policy|add-networkpolicy-dns|add-ns-quota|add-rolebinding|add-safe-to-evict|disallow-cri-sock-mount|disallow-default-namespace|disallow-empty-ingress-host|disallow-helm-tiller|disallow-latest-tag|require-drop-all|require-drop-cap-net-raw)$ - best-practices-12: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^best-practices$/^(require-labels|require-pod-requests-limits|require-probes|require-ro-rootfs|restrict-image-registries|restrict-node-port|restrict-service-external-ips)$ - castai: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^castai$/^(add-castai-removal-disabled)$ - cert-manager: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^cert-manager$/^(limit-dnsnames|limit-duration|restrict-issuer)$ - cleanup: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^cleanup$/^(cleanup-bare-pods|cleanup-empty-replicasets)$ - consul: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^consul$/^(enforce-min-tls-version)$ - external-secret-operator: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^external-secret-operator$/^(add-external-secret-prefix)$ - flux: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^flux$/^(generate-flux-multi-tenant-resources|verify-flux-images|verify-flux-sources|verify-git-repositories)$ - istio: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^istio$/^(add-ambient-mode-namespace|add-sidecar-injection-namespace|create-authorizationpolicy|enforce-ambient-mode-namespace|enforce-sidecar-injection-namespace|enforce-strict-mtls|enforce-tls-hosts-host-subnets|prevent-disabling-injection-pods|require-authorizationpolicy|restrict-virtual-service-wildcard|service-mesh-disallow-capabilities|service-mesh-require-run-as-nonroot)$ - karpenter: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^karpenter$/^(add-karpenter-daemonset-priority-class|add-karpenter-donot-evict|add-karpenter-nodeselector|set-karpenter-non-cpu-limits)$ - kasten: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^kasten$/^(kasten-3-2-1-backup|kasten-data-protection-by-label|kasten-generate-policy-by-preset-label|kasten-hourly-rpo|kasten-minimum-retention|kasten-validate-ns-by-preset-label)$ - kubecost: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^kubecost$/^(enable-kubecost-continuous-rightsizing|require-kubecost-labels)$ - kubeops: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^kubeops$/^(config-syncer-secret-generation-from-rancher-capi)$ - kubevirt: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^kubevirt$/^(add-services|enforce-instancetype)$ - linkerd: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^linkerd$/^(add-linkerd-mesh-injection|add-linkerd-policy-annotation|check-linkerd-authorizationpolicy|prevent-linkerd-pod-injection-override|prevent-linkerd-port-skipping|require-linkerd-mesh-injection|require-linkerd-server)$ - nginx-ingress: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^nginx-ingress$/^(disallow-ingress-nginx-custom-snippets|restrict-annotations|restrict-ingress-paths)$ - openshift: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^openshift$/^(check-routes|disallow-security-context-constraint-anyuid|disallow-self-provisioner-binding)$ - other: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(add-certificates-volume|add-default-resources|add-default-securitycontext|add-emptydir-sizelimit|add-env-vars-from-cm|add-image-as-env-var|add-imagepullsecrets|add-imagepullsecrets-for-containers-and-initcontainers|add-labels|add-ndots|add-node-affinity|add-node-labels-pod)$ - other-12: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(add-nodeSelector|add-pod-priorityclassname|add-pod-proxies|add-tolerations|add-ttl-jobs|add-volume-deployment|advanced-restrict-image-registries|allowed-annotations|allowed-base-images|allowed-image-repos|allowed-label-changes|allowed-pod-priorities)$ - other-24: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(always-pull-images|annotate-base-images|apply-pss-restricted-profile|audit-event-on-delete|audit-event-on-exec|block-cluster-admin-from-ns|block-ephemeral-containers|block-images-with-volumes|block-large-images|block-pod-exec-by-namespace|block-pod-exec-by-namespace-label|block-pod-exec-by-pod-and-container)$ - other-36: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(block-pod-exec-by-pod-label|block-pod-exec-by-pod-name|block-stale-images|block-updates-deletes|check-env-vars|check-hpa-exists|check-nvidia-gpu|check-serviceaccount|check-serviceaccount-secrets|check-subjectaccessreview|check-vpa-configuration|concatenate-configmaps)$ - other-48: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(copy-namespace-labels|create-default-pdb|create-pod-antiaffinity|deny-commands-in-exec-probe|deny-secret-service-account-token-type|deployment-replicas-higher-than-pdb|disable-automountserviceaccounttoken|disable-service-discovery|disallow-all-secrets|disallow-localhost-services|disallow-secrets-from-env-vars|dns-policy-and-dns-config)$ - other-60: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(docker-socket-requires-label|enforce-pod-duration|enforce-resources-as-ratio|ensure-probes-different|ensure-production-matches-staging|ensure-readonly-hostpath|exclude-namespaces-dynamically|forbid-cpu-limits|generate-networkpolicy-existing|get-debug-information|imagepullpolicy-always|ingress-host-match-tls)$ - other-72: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(inject-env-var-from-image-label|inject-sidecar-deployment|inspect-csr|kubernetes-version-check|label-existing-namespaces|label-nodes-cri|limit-configmap-for-sa|limit-containers-per-pod|limit-hostpath-type-pv|limit-hostpath-vols|memory-requests-equal-limits|metadata-match-regex)$ - other-84: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(mitigate-log4shell|mutate-large-termination-gps|mutate-pod-binding|namespace-inventory-check|nfs-subdir-external-provisioner-storage-path|only-trustworthy-registries-set-root|pdb-maxunavailable|pdb-maxunavailable-with-deployments|pdb-minavailable|policy-for-exceptions|prepend-image-registry|prevent-bare-pods)$ - other-96: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(prevent-cr8escape|prevent-duplicate-hpa|prevent-duplicate-vpa|protect-node-taints|record-creation-details|refresh-env-var-in-pod|refresh-volumes-in-pods|remove-hostpath-volumes|remove-serviceaccount-token|replace-image-registry|replace-image-registry-with-harbor|replace-ingress-hosts)$ - other-108: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(require-annotations|require-base-image|require-container-port-names|require-cpu-limits|require-deployments-have-multiple-replicas|require-emptydir-requests-limits|require-image-checksum|require-image-source|require-imagepullsecrets|require-ingress-https|require-netpol|require-non-root-groups)$ - other-120: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(require-pdb|require-pod-priorityclassname|require-qos-burstable|require-qos-guaranteed|require-reasonable-pdbs|require-replicas-allow-disruption|require-storageclass|require-unique-external-dns|require-unique-service-selector|require-unique-uid-per-workload|resolve-image-to-digest|resource-creation-updating-denied)$ - other-132: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(restart-deployment-on-secret-change|restrict-annotations|restrict-automount-sa-token|restrict-binding-clusteradmin|restrict-binding-system-groups|restrict-clusterrole-csr|restrict-clusterrole-mutating-validating-admission-webhooks|restrict-clusterrole-nodesproxy|restrict-controlplane-scheduling|restrict-deprecated-registry|restrict-escalation-verbs-roles|restrict-ingress-classes)$ - other-144: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(restrict-ingress-defaultbackend|restrict-ingress-host|restrict-ingress-wildcard|restrict-jobs|restrict-loadbalancer|restrict-networkpolicy-empty-podselector|restrict-node-affinity|restrict-node-label-changes|restrict-node-label-creation|restrict-node-selection|restrict-pod-controller-serviceaccount-updates|restrict-sa-automount-sa-token)$ - other-156: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(restrict-secret-role-verbs|restrict-secrets-by-label|restrict-secrets-by-name|restrict-service-port-range|restrict-storageclass|restrict-usergroup-fsgroup-id|restrict-wildcard-resources|restrict-wildcard-verbs|scale-deployment-zero|spread-pods-across-topology|sync-secrets|topologyspreadconstraints-policy)$ - other-168: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^other$/^(unique-ingress-host-and-path|unique-ingress-paths|update-image-tag|verify-vpa-target)$ - pod-security_baseline: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^pod-security$/^baseline$/^(disallow-capabilities|disallow-host-namespaces|disallow-host-path|disallow-host-ports|disallow-host-ports-range|disallow-host-process|disallow-privileged-containers|disallow-proc-mount|disallow-selinux|restrict-apparmor-profiles|restrict-seccomp|restrict-sysctls)$ - pod-security_restricted: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^pod-security$/^restricted$/^(disallow-capabilities-strict|disallow-privilege-escalation|require-run-as-non-root-user|require-run-as-nonroot|restrict-seccomp-strict|restrict-volume-types)$ - pod-security_subrule_restricted: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^pod-security$/^subrule$/^restricted$/^(restricted-exclude-capabilities|restricted-exclude-seccomp|restricted-latest)$ - psa: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^psa$/^(add-privileged-existing-namespaces|add-psa-labels|add-psa-namespace-reporting|deny-privileged-profile)$ - psp-migration: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^psp-migration$/^(add-apparmor|add-capabilities|add-runtimeClassName|check-supplemental-groups|restrict-adding-capabilities|restrict-runtimeClassName)$ - tekton: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^tekton$/^(block-tekton-task-runs|require-tekton-bundle|require-tekton-namespace-pipelinerun)$ - traefik: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^traefik$/^(disallow-default-tlsoptions)$ - velero: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^velero$/^(backup-all-volumes|block-velero-restore|validate-cron-schedule)$ - windows-security: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: ${{ matrix.k8s-version }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: ^windows-security$/^(require-run-as-containeruser)$ - e2e-required-success: - name: e2e-required - needs: - - argo - - aws - - best-practices - - best-practices-12 - - castai - - cert-manager - - cleanup - - consul - - external-secret-operator - - flux - - istio - - karpenter - - kasten - - kubecost - - kubeops - - kubevirt - - linkerd - - nginx-ingress - - openshift - - other - - other-12 - - other-24 - - other-36 - - other-48 - - other-60 - - other-72 - - other-84 - - other-96 - - other-108 - - other-120 - - other-132 - - other-144 - - other-156 - - other-168 - - pod-security_baseline - - pod-security_restricted - - pod-security_subrule_restricted - - psa - - psp-migration - - tekton - - traefik - - velero - - windows-security - runs-on: ubuntu-latest - if: ${{ success() }} - steps: - - run: ${{ true }} - e2e-required-failure: - name: e2e-required - needs: - - argo - - aws - - best-practices - - best-practices-12 - - castai - - cert-manager - - cleanup - - consul - - external-secret-operator - - flux - - istio - - karpenter - - kasten - - kubecost - - kubeops - - kubevirt - - linkerd - - nginx-ingress - - openshift - - other - - other-12 - - other-24 - - other-36 - - other-48 - - other-60 - - other-72 - - other-84 - - other-96 - - other-108 - - other-120 - - other-132 - - other-144 - - other-156 - - other-168 - - pod-security_baseline - - pod-security_restricted - - pod-security_subrule_restricted - - psa - - psp-migration - - tekton - - traefik - - velero - - windows-security - runs-on: ubuntu-latest - if: ${{ failure() || cancelled() }} - steps: - - run: ${{ false }} + chainsaw: + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.25 + version: v1.25.11 + - name: v1.26 + version: v1.26.6 + - name: v1.27 + version: v1.27.3 + - name: v1.28 + version: v1.28.0 + tests: + - ^argo$ + - ^aws$ + - ^best-practices$ + - ^castai$ + - ^cert-manager$ + - ^consul$ + - ^external-secret-operator$ + - ^flux$ + - ^istio$ + - ^karpenter$ + - ^kasten$ + - ^kubecost$ + - ^kubeops$ + - ^kubevirt$ + - ^linkerd$ + - ^nginx-ingress$ + - ^openshift$ + - ^other$/^a + - ^other$/^[b-d] + - ^other$/^[e-l] + - ^other$/^[m-q] + - ^other$/^re[c-q] + - ^other$/^res + - ^other$/^[s-z] + - ^pod-security$ + - ^pod-security-cel$ + - ^psa$ + - ^psp-migration$ + # - ^tekton + # - ^traefik + # - ^velero + runs-on: ubuntu-latest + name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ~1.21.1 + - name: Install Tools + run: | + set -e + curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" + sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl + - name: Install kind + shell: bash + run: | + set -e + # For AMD64 / x86_64 + [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 + # For ARM64 + [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind + - name: Install latest Kyverno CLI + uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 + - name: Create kind cluster + run: | + set -e + kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml + - name: Install latest kyverno + run: | + set -e + kubectl create -f https://github.com/kyverno/kyverno/raw/release-1.12/config/install-latest-testing.yaml + - name: Wait for kyverno ready + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=2m + - name: Install CRDs + run: | + set -e + kubectl apply -f ./.chainsaw/crds + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + with: + release: v0.0.9 + - name: Test with Chainsaw + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false diff --git a/.gitignore b/.gitignore index f01417fc7..5da35b529 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,3 @@ settings.json .idea .DS_Store kubeconfig -.hack/chainsaw-matrix/chainsaw-matrix diff --git a/.hack/chainsaw-matrix/go.mod b/.hack/chainsaw-matrix/go.mod deleted file mode 100644 index 10ae32083..000000000 --- a/.hack/chainsaw-matrix/go.mod +++ /dev/null @@ -1,100 +0,0 @@ -module github.com/kyverno/policies/hack/chainsaw-matrix - -go 1.23.0 - -require github.com/kyverno/chainsaw v0.2.8 - -require ( - github.com/NYTimes/gziphandler v1.1.1 // indirect - github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect - github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/beorn7/perks v1.0.1 // indirect - github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cenkalti/backoff/v4 v4.3.0 // indirect - github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/coreos/go-semver v0.3.1 // indirect - github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.12.1 // indirect - github.com/evanphx/json-patch v5.9.0+incompatible // indirect - github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect - github.com/go-logr/logr v1.4.2 // indirect - github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.21.0 // indirect - github.com/go-openapi/swag v0.23.0 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/google/cel-go v0.17.8 // indirect - github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect - github.com/google/go-cmp v0.6.0 // indirect - github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.6.0 // indirect - github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0 // indirect - github.com/imdario/mergo v0.3.16 // indirect - github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jinzhu/copier v0.4.0 // indirect - github.com/josharian/intern v1.0.0 // indirect - github.com/json-iterator/go v1.1.12 // indirect - github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e // indirect - github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c // indirect - github.com/mailru/easyjson v0.7.7 // indirect - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect - github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.6.0 // indirect - github.com/prometheus/common v0.47.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect - github.com/spf13/cobra v1.8.1 // indirect - github.com/spf13/pflag v1.0.5 // indirect - github.com/stoewer/go-strcase v1.3.0 // indirect - go.etcd.io/etcd/api/v3 v3.5.15 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.15 // indirect - go.etcd.io/etcd/client/v3 v3.5.15 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - go.opentelemetry.io/otel v1.28.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect - go.opentelemetry.io/proto/otlp v1.3.1 // indirect - go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.25.0 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect - golang.org/x/net v0.27.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/text v0.16.0 // indirect - golang.org/x/time v0.5.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240725223205-93522f1f2a9f // indirect - google.golang.org/grpc v1.65.0 // indirect - google.golang.org/protobuf v1.34.2 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.30.3 // indirect - k8s.io/apiextensions-apiserver v0.30.3 // indirect - k8s.io/apimachinery v0.30.3 // indirect - k8s.io/apiserver v0.30.3 // indirect - k8s.io/client-go v0.30.3 // indirect - k8s.io/component-base v0.30.3 // indirect - k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20240726031636-6f6746feab9c // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kubectl-validate v0.0.4 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect -) diff --git a/.hack/chainsaw-matrix/go.sum b/.hack/chainsaw-matrix/go.sum deleted file mode 100644 index d8dd6dbca..000000000 --- a/.hack/chainsaw-matrix/go.sum +++ /dev/null @@ -1,325 +0,0 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= -github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= -github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= -github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= -github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= -github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= -github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= -github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= -github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= -github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= -github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= -github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= -github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= -github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= -github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU= -github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= -github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= -github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= -github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= -github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= -github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= -github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= -github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= -github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= -github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= -github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= -github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto= -github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= -github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= -github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= -github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= -github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= -github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= -github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= -github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= -github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 h1:JYghRBlGCZyCF2wNUJ8W0cwaQdtpcssJ4CgC406g+WU= -github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99/go.mod h1:3bDW6wMZJB7tiONtC/1Xpicra6Wp5GgbTbQWCbI5fkc= -github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0 h1:CWyXh/jylQWp2dtiV33mY4iSSp6yf4lmn+c7/tN+ObI= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.21.0/go.mod h1:nCLIt0w3Ept2NwF8ThLmrppXsfT07oC8k0XNDxd8sVU= -github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= -github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= -github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= -github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= -github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= -github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4= -github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc= -github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= -github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= -github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kyverno/chainsaw v0.2.8 h1:E+zUQ8SuOxUBeQC5i/0RYUPOXIeOKi69gOqFN5w256c= -github.com/kyverno/chainsaw v0.2.8/go.mod h1:ttTQJepYvp8Uy+aATNZ4EpEgh39A3HjIphSdCCyppkI= -github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e h1:gh9iMuJS8yloxo3JIzvgLWZWwy5iRjEkA8/U7rK3iu8= -github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e/go.mod h1:3LgZogzltja+Sx0o5CIa7d7+991v8sWXHskU0fWSOsQ= -github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c h1:lAolpR9H8BwM5lRRvgCQ8JowswyxZRH+fgtIQzHFVCk= -github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c/go.mod h1:02vxM0GNXz9+B/i6+rMfWAIwibUuAH+qFsd73IFskgQ= -github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= -github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= -github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= -github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= -github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= -github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= -github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= -github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= -github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= -github.com/prometheus/common v0.47.0 h1:p5Cz0FNHo7SnWOmWmoRozVcjEp0bIVU8cV7OShpjL1k= -github.com/prometheus/common v0.47.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= -github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= -github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= -github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= -github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= -github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= -github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= -github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= -github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA= -go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= -go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk= -go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM= -go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA= -go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU= -go.etcd.io/etcd/client/v2 v2.305.10 h1:MrmRktzv/XF8CvtQt+P6wLUlURaNpSDJHFZhe//2QE4= -go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA= -go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4= -go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU= -go.etcd.io/etcd/pkg/v3 v3.5.10 h1:WPR8K0e9kWl1gAhB5A7gEa5ZBTNkT9NdNWrR8Qpo1CM= -go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs= -go.etcd.io/etcd/raft/v3 v3.5.10 h1:cgNAYe7xrsrn/5kXMSaH8kM/Ky8mAdMqGOxyYwpP0LA= -go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc= -go.etcd.io/etcd/server/v3 v3.5.10 h1:4NOGyOwD5sUZ22PiWYKmfxqoeh72z6EhYjNosKGLmZg= -go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= -go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= -go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= -go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= -go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= -go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= -golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= -golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= -google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20240725223205-93522f1f2a9f h1:htT2I9bZvGm+110zq8bIErMX+WgBWxCzV3ChwbvnKnc= -google.golang.org/genproto v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:Sk3mLpoDFTAp6R4OvlcUgaG4ISTspKeFsIAXMn9Bm4Y= -google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f h1:b1Ln/PG8orm0SsBbHZWke8dDp2lrCD4jSmfglFpTZbk= -google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:AHT0dDg3SoMOgZGnZk29b5xTbPHMoEC8qthmBLJCpys= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240725223205-93522f1f2a9f h1:RARaIm8pxYuxyNPbBQf5igT7XdOyCNtat1qAT2ZxjU4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240725223205-93522f1f2a9f/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= -google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= -gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= -k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= -k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= -k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= -k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= -k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= -k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= -k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.30.3 h1:NLg+oN45S2Y3U0WiLRzbS61AY/XrS5JBMZp531Z+Pho= -k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4= -k8s.io/kube-openapi v0.0.0-20240726031636-6f6746feab9c h1:CHL3IcTrTI3csK36iwYJy36uQRic+IpSoRMNH+0I8SE= -k8s.io/kube-openapi v0.0.0-20240726031636-6f6746feab9c/go.mod h1:0CVn9SVo8PeW5/JgsBZZIFmmTk5noOM8WXf2e1tCihE= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kubectl-validate v0.0.4 h1:tGKuv0awYHn11Cb6KPsZKxUmHgavF46K3NvVH0Nse9U= -sigs.k8s.io/kubectl-validate v0.0.4/go.mod h1:JTm3G+JZLPISqABh73uV7s/sW28q2zZqnTghOzahEKA= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= -sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/.hack/chainsaw-matrix/main.go b/.hack/chainsaw-matrix/main.go deleted file mode 100644 index 5f62d1ab3..000000000 --- a/.hack/chainsaw-matrix/main.go +++ /dev/null @@ -1,97 +0,0 @@ -package main - -import ( - "fmt" - "maps" - "os" - "path/filepath" - "slices" - "strings" - "text/template" - - "github.com/kyverno/chainsaw/pkg/discovery" -) - -const chunkSize = 12 - -type testSuite struct { - Name string - Pattern string - Folder string - Required bool -} - -type values struct { - TestSuites []testSuite -} - -type payload struct { - Values values -} - -func main() { - tests, err := discovery.DiscoverTests("chainsaw-test.yaml", nil, false, "../..") - if err != nil { - panic(err) - } - var paths []string - for _, test := range tests { - path, err := filepath.Rel("../..", test.BasePath) - if err != nil { - panic(err) - } - parts := strings.Split(path, "/") - if len(parts) < 3 { - panic("not enough folder parts: " + path) - } - if strings.HasSuffix(parts[0], "-cel") { - continue - } - parts = parts[:len(parts)-1] - paths = append(paths, strings.Join(parts, "/")) - } - suites := map[string][]string{} - for _, path := range paths { - parts := strings.Split(path, "/") - root := strings.Join(parts[:len(parts)-1], "/") - suites[root] = append(suites[root], parts[len(parts)-1]) - } - var ts []testSuite - for _, key := range slices.Sorted(maps.Keys(suites)) { - root := "" - for _, part := range strings.Split(key, "/") { - root += "^" + part + "$" + "/" - } - slices.Sort(suites[key]) - for i := 0; i < len(suites[key]); i += chunkSize { - end := i + chunkSize - if end > len(suites[key]) { - end = len(suites[key]) - } - pattern := root + "^" + "(" + strings.Join(suites[key][i:end], "|") + ")" + "$" - name := strings.ReplaceAll(key, "/", "_") - if i >= chunkSize { - name = fmt.Sprintf("%s-%d", name, i) - } - ts = append(ts, testSuite{ - Required: true, - Name: name, - Folder: key, - Pattern: pattern, - }) - } - } - var tmplFile = "workflow.yaml" - tmpl, err := template.New(tmplFile).ParseFiles(tmplFile) - if err != nil { - panic(err) - } - err = tmpl.Execute(os.Stdout, payload{ - Values: values{ - TestSuites: ts, - }, - }) - if err != nil { - panic(err) - } -} diff --git a/.hack/chainsaw-matrix/workflow.yaml b/.hack/chainsaw-matrix/workflow.yaml deleted file mode 100644 index 82376219a..000000000 --- a/.hack/chainsaw-matrix/workflow.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -# to update the workflow jobs, run the script below from the repository root: -# `(cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)` - -name: E2E Tests - -permissions: {} - -on: - workflow_dispatch: {} - pull_request: - branches: - - 'main' - -concurrency: - group: {{ print "${{ github.workflow }}-${{ github.ref }}" }} - cancel-in-progress: true - -jobs: - {{- range .Values.TestSuites }} - {{ .Name }}: - strategy: - fail-fast: false - matrix: - k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Environment - uses: ./.github/actions/setup-env - with: - k8s-version: {{ print "${{ matrix.k8s-version }}" }} - - name: Run Tests - uses: ./.github/actions/run-tests - with: - tests: {{ .Pattern }} - {{- end }} - e2e-required-success: - name: e2e-required - needs: - {{- range .Values.TestSuites }} - - {{ .Name }} - {{- end }} - runs-on: ubuntu-latest - if: {{ print "${{ success() }}" }} - steps: - - run: {{ print "${{ true }}" }} - e2e-required-failure: - name: e2e-required - needs: - {{- range .Values.TestSuites }} - - {{ .Name }} - {{- end }} - runs-on: ubuntu-latest - if: {{ print "${{ failure() || cancelled() }}" }} - steps: - - run: {{ print "${{ false }}" }} diff --git a/CRDs/applications.yaml b/CRDs/applications.yaml new file mode 100644 index 000000000..d810e179e --- /dev/null +++ b/CRDs/applications.yaml @@ -0,0 +1,4345 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/name: applications.argoproj.io + app.kubernetes.io/part-of: argocd + name: applications.argoproj.io +spec: + group: argoproj.io + names: + kind: Application + listKind: ApplicationList + plural: applications + shortNames: + - app + - apps + singular: application + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.sync.status + name: Sync Status + type: string + - jsonPath: .status.health.status + name: Health Status + type: string + - jsonPath: .status.sync.revision + name: Revision + priority: 10 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Application is a definition of Application resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + operation: + description: Operation contains information about a requested or running + operation + properties: + info: + description: Info is a list of informational items for this operation + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + initiatedBy: + description: InitiatedBy contains information about who initiated + the operations + properties: + automated: + description: Automated is set to true if operation was initiated + automatically by the application controller. + type: boolean + username: + description: Username contains the name of a user who started + operation + type: string + type: object + retry: + description: Retry controls the strategy to apply if a sync fails + properties: + backoff: + description: Backoff controls how to backoff on subsequent retries + of failed syncs + properties: + duration: + description: Duration is the amount to back off. Default unit + is seconds, but could also be a duration (e.g. "2m", "1h") + type: string + factor: + description: Factor is a factor to multiply the base duration + after each failed retry + format: int64 + type: integer + maxDuration: + description: MaxDuration is the maximum amount of time allowed + for the backoff strategy + type: string + type: object + limit: + description: Limit is the maximum number of attempts for retrying + a failed sync. If set to 0, no retries will be performed. + format: int64 + type: integer + type: object + sync: + description: Sync contains parameters for the operation + properties: + dryRun: + description: DryRun specifies to perform a `kubectl apply --dry-run` + without actually performing the sync + type: boolean + manifests: + description: Manifests is an optional field that overrides sync + source with a local directory for development + items: + type: string + type: array + prune: + description: Prune specifies to delete resources from the cluster + that are no longer tracked in git + type: boolean + resources: + description: Resources describes which resources shall be part + of the sync + items: + description: SyncOperationResource contains resources to sync. + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + revision: + description: Revision is the revision (Git) or chart version (Helm) + which to sync the application to If omitted, will use the revision + specified in app spec. + type: string + revisions: + description: Revisions is the list of revision (Git) or chart + version (Helm) which to sync each source in sources field for + the application to If omitted, will use the revision specified + in app spec. + items: + type: string + type: array + source: + description: Source overrides the source definition set in the + application. This is typically set in a Rollback operation and + is nil during a Sync operation + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match + paths against that should be explicitly excluded from + being used during manifest generation + type: string + include: + description: Include contains a glob pattern to match + paths against that should be explicitly included during + manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable to + be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level Arguments + items: + description: JsonnetVar represents a variable to + be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to the + helm template + items: + description: HelmFileParameter is a file parameter that's + passed to helm template during manifest generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm template + from failing when valueFiles do not exist locally by + not appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters which + are passed to the helm template command upon manifest + generation + items: + description: HelmParameter is a parameter that's passed + to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether to tell + Helm to interpret booleans and numbers as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all domains + (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name to use. + If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed + to helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for templating + ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional labels + to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources for + Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force + applying common labels to resources for Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize image + definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable entries + items: + description: EnvEntry represents an entry in the application's + environment + properties: + name: + description: Name is the name of the variable, usually + expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array type + parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type parameter. + type: object + name: + description: Name is the name identifying a parameter. + type: string + string: + description: String_ is the value of a string type + parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within sources + field. This field will not be used if used with a `source` + tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git or + Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the source + to sync the application to. In case of Git, this can be + commit, tag, or branch. If omitted, will equal to HEAD. + In case of Helm, this is a semver tag for the Chart's version. + type: string + required: + - repoURL + type: object + sources: + description: Sources overrides the source definition set in the + application. This is typically set in a Rollback operation and + is nil during a Sync operation + items: + description: ApplicationSource contains all required information + about the source of an application + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match + paths against that should be explicitly excluded from + being used during manifest generation + type: string + include: + description: Include contains a glob pattern to match + paths against that should be explicitly included during + manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to the + helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm template + from failing when valueFiles do not exist locally + by not appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command upon + manifest generation + items: + description: HelmParameter is a parameter that's passed + to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether to + tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all + domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name to + use. If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed + to helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for + templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation + values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional labels + to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to + force applying common labels to resources for Kustomize + apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable entries + items: + description: EnvEntry represents an entry in the application's + environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array type + parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type parameter. + type: object + name: + description: Name is the name identifying a parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within sources + field. This field will not be used if used with a `source` + tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git or + Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the + source to sync the application to. In case of Git, this + can be commit, tag, or branch. If omitted, will equal + to HEAD. In case of Helm, this is a semver tag for the + Chart's version. + type: string + required: + - repoURL + type: object + type: array + syncOptions: + description: SyncOptions provide per-sync sync-options, e.g. Validate=false + items: + type: string + type: array + syncStrategy: + description: SyncStrategy describes how to perform the sync + properties: + apply: + description: Apply will perform a `kubectl apply` to perform + the sync. + properties: + force: + description: Force indicates whether or not to supply + the --force flag to `kubectl apply`. The --force flag + deletes and re-create the resource, when PATCH encounters + conflict and has retried for 5 times. + type: boolean + type: object + hook: + description: Hook will submit any referenced resources to + perform the sync. This is the default strategy + properties: + force: + description: Force indicates whether or not to supply + the --force flag to `kubectl apply`. The --force flag + deletes and re-create the resource, when PATCH encounters + conflict and has retried for 5 times. + type: boolean + type: object + type: object + type: object + type: object + spec: + description: ApplicationSpec represents desired application state. Contains + link to repository with application definition and additional parameters + link definition revision. + properties: + destination: + description: Destination is a reference to the target Kubernetes server + and namespace + properties: + name: + description: Name is an alternate way of specifying the target + cluster by its symbolic name + type: string + namespace: + description: Namespace specifies the target namespace for the + application's resources. The namespace will only be set for + namespace-scoped resources that have not set a value for .metadata.namespace + type: string + server: + description: Server specifies the URL of the target cluster and + must be set to the Kubernetes control plane API + type: string + type: object + ignoreDifferences: + description: IgnoreDifferences is a list of resources and their fields + which should be ignored during comparison + items: + description: ResourceIgnoreDifferences contains resource filter + and list of json paths which should be ignored during comparison + with live state. + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + description: ManagedFieldsManagers is a list of trusted managers. + Fields mutated by those managers will take precedence over + the desired state defined in the SCM and won't be displayed + in diffs + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + description: Info contains a list of information (URLs, email addresses, + and plain text) that relates to the application + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + description: Project is a reference to the project this application + belongs to. The empty string means that application belongs to the + 'default' project. + type: string + revisionHistoryLimit: + description: RevisionHistoryLimit limits the number of items kept + in the application's revision history, which is used for informational + purposes as well as for rollbacks to previous versions. This should + only be changed in exceptional circumstances. Setting to zero will + store no history. This will reduce storage used. Increasing will + increase the space used to store the history, so we do not recommend + increasing it. Default is 10. + format: int64 + type: integer + source: + description: Source is a reference to the location of the application's + manifests or chart + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match paths + against that should be explicitly excluded from being used + during manifest generation + type: string + include: + description: Include contains a glob pattern to match paths + against that should be explicitly included during manifest + generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External Variables + items: + description: JsonnetVar represents a variable to be + passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level Arguments + items: + description: JsonnetVar represents a variable to be + passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to the helm + template + items: + description: HelmFileParameter is a file parameter that's + passed to helm template during manifest generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm template + from failing when valueFiles do not exist locally by not + appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters which + are passed to the helm template command upon manifest generation + items: + description: HelmParameter is a parameter that's passed + to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether to tell + Helm to interpret booleans and numbers as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all domains + (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name to use. + If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition installation + step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files to + use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed to + helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for templating + ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional annotations + to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether to + apply env variables substitution for annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional labels to + add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to force + applying common annotations to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force + applying common labels to resources for Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize image + definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize adds + to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas override + specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize to + use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific options + properties: + env: + description: Env is a list of environment variable entries + items: + description: EnvEntry represents an entry in the application's + environment + properties: + name: + description: Name is the name of the variable, usually + expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type parameter. + type: object + name: + description: Name is the name identifying a parameter. + type: string + string: + description: String_ is the value of a string type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within sources + field. This field will not be used if used with a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git or Helm) + that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the source + to sync the application to. In case of Git, this can be commit, + tag, or branch. If omitted, will equal to HEAD. In case of Helm, + this is a semver tag for the Chart's version. + type: string + required: + - repoURL + type: object + sources: + description: Sources is a reference to the location of the application's + manifests or chart + items: + description: ApplicationSource contains all required information + about the source of an application + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match paths + against that should be explicitly excluded from being + used during manifest generation + type: string + include: + description: Include contains a glob pattern to match paths + against that should be explicitly included during manifest + generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External Variables + items: + description: JsonnetVar represents a variable to be + passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level Arguments + items: + description: JsonnetVar represents a variable to be + passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to the helm + template + items: + description: HelmFileParameter is a file parameter that's + passed to helm template during manifest generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm template + from failing when valueFiles do not exist locally by not + appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters which + are passed to the helm template command upon manifest + generation + items: + description: HelmParameter is a parameter that's passed + to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether to tell + Helm to interpret booleans and numbers as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all domains + (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name to use. + If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition installation + step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files to + use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed to + helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for templating + ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional annotations + to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional labels + to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether to + force applying common annotations to resources for Kustomize + apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to force + applying common labels to resources for Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize image + definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas override + specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable entries + items: + description: EnvEntry represents an entry in the application's + environment + properties: + name: + description: Name is the name of the variable, usually + expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type parameter. + type: object + name: + description: Name is the name identifying a parameter. + type: string + string: + description: String_ is the value of a string type + parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within sources + field. This field will not be used if used with a `source` + tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git or Helm) + that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the source + to sync the application to. In case of Git, this can be commit, + tag, or branch. If omitted, will equal to HEAD. In case of + Helm, this is a semver tag for the Chart's version. + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + description: SyncPolicy controls when and how a sync will be performed + properties: + automated: + description: Automated will keep an application synced to the + target revision + properties: + allowEmpty: + description: 'AllowEmpty allows apps have zero live resources + (default: false)' + type: boolean + prune: + description: 'Prune specifies whether to delete resources + from the cluster that are not found in the sources anymore + as part of automated sync (default: false)' + type: boolean + selfHeal: + description: 'SelfHeal specifes whether to revert resources + back to their desired state upon modification in the cluster + (default: false)' + type: boolean + type: object + managedNamespaceMetadata: + description: ManagedNamespaceMetadata controls metadata in the + given namespace (if CreateNamespace=true) + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + description: Retry controls failed sync retry behavior + properties: + backoff: + description: Backoff controls how to backoff on subsequent + retries of failed syncs + properties: + duration: + description: Duration is the amount to back off. Default + unit is seconds, but could also be a duration (e.g. + "2m", "1h") + type: string + factor: + description: Factor is a factor to multiply the base duration + after each failed retry + format: int64 + type: integer + maxDuration: + description: MaxDuration is the maximum amount of time + allowed for the backoff strategy + type: string + type: object + limit: + description: Limit is the maximum number of attempts for retrying + a failed sync. If set to 0, no retries will be performed. + format: int64 + type: integer + type: object + syncOptions: + description: Options allow you to specify whole app sync-options + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + status: + description: ApplicationStatus contains status information for the application + properties: + conditions: + description: Conditions is a list of currently observed application + conditions + items: + description: ApplicationCondition contains details about an application + condition, which is usally an error or warning + properties: + lastTransitionTime: + description: LastTransitionTime is the time the condition was + last observed + format: date-time + type: string + message: + description: Message contains human-readable message indicating + details about condition + type: string + type: + description: Type is an application condition type + type: string + required: + - message + - type + type: object + type: array + health: + description: Health contains information about the application's current + health status + properties: + message: + description: Message is a human-readable informational message + describing the health status + type: string + status: + description: Status holds the status code of the application or + resource + type: string + type: object + history: + description: History contains information about the application's + sync history + items: + description: RevisionHistory contains history information about + a previous sync + properties: + deployStartedAt: + description: DeployStartedAt holds the time the sync operation + started + format: date-time + type: string + deployedAt: + description: DeployedAt holds the time the sync operation completed + format: date-time + type: string + id: + description: ID is an auto incrementing identifier of the RevisionHistory + format: int64 + type: integer + revision: + description: Revision holds the revision the sync was performed + against + type: string + revisions: + description: Revisions holds the revision of each source in + sources field the sync was performed against + items: + type: string + type: array + source: + description: Source is a reference to the application source + used for the sync operation + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match + paths against that should be explicitly excluded from + being used during manifest generation + type: string + include: + description: Include contains a glob pattern to match + paths against that should be explicitly included during + manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to the + helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm template + from failing when valueFiles do not exist locally + by not appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command upon + manifest generation + items: + description: HelmParameter is a parameter that's passed + to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether to + tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all + domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name to + use. If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed + to helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for + templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation + values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional labels + to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to + force applying common labels to resources for Kustomize + apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable entries + items: + description: EnvEntry represents an entry in the application's + environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array type + parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type parameter. + type: object + name: + description: Name is the name identifying a parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within sources + field. This field will not be used if used with a `source` + tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git or + Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the + source to sync the application to. In case of Git, this + can be commit, tag, or branch. If omitted, will equal + to HEAD. In case of Helm, this is a semver tag for the + Chart's version. + type: string + required: + - repoURL + type: object + sources: + description: Sources is a reference to the application sources + used for the sync operation + items: + description: ApplicationSource contains all required information + about the source of an application + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match + paths against that should be explicitly excluded + from being used during manifest generation + type: string + include: + description: Include contains a glob pattern to match + paths against that should be explicitly included + during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to + the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm + template from failing when valueFiles do not exist + locally by not appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command upon + manifest generation + items: + description: HelmParameter is a parameter that's + passed to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm + parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all + domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name + to use. If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed + to helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for + templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation + values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to + force applying common labels to resources for Kustomize + apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry in the + application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array + type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type + parameter. + type: object + name: + description: Name is the name identifying a + parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within + sources field. This field will not be used if used with + a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git + or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the + source to sync the application to. In case of Git, this + can be commit, tag, or branch. If omitted, will equal + to HEAD. In case of Helm, this is a semver tag for the + Chart's version. + type: string + required: + - repoURL + type: object + type: array + required: + - deployedAt + - id + type: object + type: array + observedAt: + description: 'ObservedAt indicates when the application state was + updated without querying latest git state Deprecated: controller + no longer updates ObservedAt field' + format: date-time + type: string + operationState: + description: OperationState contains information about any ongoing + operations, such as a sync + properties: + finishedAt: + description: FinishedAt contains time of operation completion + format: date-time + type: string + message: + description: Message holds any pertinent messages when attempting + to perform operation (typically errors). + type: string + operation: + description: Operation is the original requested operation + properties: + info: + description: Info is a list of informational items for this + operation + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + initiatedBy: + description: InitiatedBy contains information about who initiated + the operations + properties: + automated: + description: Automated is set to true if operation was + initiated automatically by the application controller. + type: boolean + username: + description: Username contains the name of a user who + started operation + type: string + type: object + retry: + description: Retry controls the strategy to apply if a sync + fails + properties: + backoff: + description: Backoff controls how to backoff on subsequent + retries of failed syncs + properties: + duration: + description: Duration is the amount to back off. Default + unit is seconds, but could also be a duration (e.g. + "2m", "1h") + type: string + factor: + description: Factor is a factor to multiply the base + duration after each failed retry + format: int64 + type: integer + maxDuration: + description: MaxDuration is the maximum amount of + time allowed for the backoff strategy + type: string + type: object + limit: + description: Limit is the maximum number of attempts for + retrying a failed sync. If set to 0, no retries will + be performed. + format: int64 + type: integer + type: object + sync: + description: Sync contains parameters for the operation + properties: + dryRun: + description: DryRun specifies to perform a `kubectl apply + --dry-run` without actually performing the sync + type: boolean + manifests: + description: Manifests is an optional field that overrides + sync source with a local directory for development + items: + type: string + type: array + prune: + description: Prune specifies to delete resources from + the cluster that are no longer tracked in git + type: boolean + resources: + description: Resources describes which resources shall + be part of the sync + items: + description: SyncOperationResource contains resources + to sync. + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + revision: + description: Revision is the revision (Git) or chart version + (Helm) which to sync the application to If omitted, + will use the revision specified in app spec. + type: string + revisions: + description: Revisions is the list of revision (Git) or + chart version (Helm) which to sync each source in sources + field for the application to If omitted, will use the + revision specified in app spec. + items: + type: string + type: array + source: + description: Source overrides the source definition set + in the application. This is typically set in a Rollback + operation and is nil during a Sync operation + properties: + chart: + description: Chart is a Helm chart name, and must + be specified for applications sourced from a Helm + repo. + type: string + directory: + description: Directory holds path/directory specific + options + properties: + exclude: + description: Exclude contains a glob pattern to + match paths against that should be explicitly + excluded from being used during manifest generation + type: string + include: + description: Include contains a glob pattern to + match paths against that should be explicitly + included during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to + Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet + External Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan + a directory recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters + to the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm + parameter + type: string + path: + description: Path is the path to the file + containing the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents + helm template from failing when valueFiles do + not exist locally by not appending them to helm + template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command + upon manifest generation + items: + description: HelmParameter is a parameter that's + passed to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and + numbers as strings + type: boolean + name: + description: Name is the name of the Helm + parameter + type: string + value: + description: Value is the value for the + Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials + to all domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name + to use. If omitted it will use the application + name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value + files to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be + passed to helm template, typically defined as + a block + type: string + version: + description: Version is the Helm version to use + for templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies + whether to apply env variables substitution + for annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies + whether to force applying common annotations + to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether + to force applying common labels to resources + for Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image + override specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to + resources for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to + resources for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that + Kustomize adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of + Kustomize to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git + repository, and is only valid for applications sourced + from Git. + type: string + plugin: + description: Plugin holds config management plugin + specific options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry in + the application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array + type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type + parameter. + type: object + name: + description: Name is the name identifying + a parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within + sources field. This field will not be used if used + with a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository + (Git or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of + the source to sync the application to. In case of + Git, this can be commit, tag, or branch. If omitted, + will equal to HEAD. In case of Helm, this is a semver + tag for the Chart's version. + type: string + required: + - repoURL + type: object + sources: + description: Sources overrides the source definition set + in the application. This is typically set in a Rollback + operation and is nil during a Sync operation + items: + description: ApplicationSource contains all required + information about the source of an application + properties: + chart: + description: Chart is a Helm chart name, and must + be specified for applications sourced from a Helm + repo. + type: string + directory: + description: Directory holds path/directory specific + options + properties: + exclude: + description: Exclude contains a glob pattern + to match paths against that should be explicitly + excluded from being used during manifest generation + type: string + include: + description: Include contains a glob pattern + to match paths against that should be explicitly + included during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific + to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet + External Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan + a directory recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters + to the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm + parameter + type: string + path: + description: Path is the path to the file + containing the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents + helm template from failing when valueFiles + do not exist locally by not appending them + to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command + upon manifest generation + items: + description: HelmParameter is a parameter + that's passed to helm template during manifest + generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and + numbers as strings + type: boolean + name: + description: Name is the name of the Helm + parameter + type: string + value: + description: Value is the value for the + Helm parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials + to all domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release + name to use. If omitted it will use the application + name + type: string + skipCrds: + description: SkipCrds skips custom resource + definition installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value + files to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to + be passed to helm template, typically defined + as a block + type: string + version: + description: Version is the Helm version to + use for templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific + options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of + additional annotations to add to rendered + manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies + whether to apply env variables substitution + for annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies + whether to force applying common annotations + to resources for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether + to force applying common labels to resources + for Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image + override specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended + to resources for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended + to resources for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that + Kustomize adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize + Replicas override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version + of Kustomize to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the + Git repository, and is only valid for applications + sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin + specific options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry + in the application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the + variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an + array type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map + type parameter. + type: object + name: + description: Name is the name identifying + a parameter. + type: string + string: + description: String_ is the value of a + string type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source + within sources field. This field will not be used + if used with a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository + (Git or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision + of the source to sync the application to. In case + of Git, this can be commit, tag, or branch. If + omitted, will equal to HEAD. In case of Helm, + this is a semver tag for the Chart's version. + type: string + required: + - repoURL + type: object + type: array + syncOptions: + description: SyncOptions provide per-sync sync-options, + e.g. Validate=false + items: + type: string + type: array + syncStrategy: + description: SyncStrategy describes how to perform the + sync + properties: + apply: + description: Apply will perform a `kubectl apply` + to perform the sync. + properties: + force: + description: Force indicates whether or not to + supply the --force flag to `kubectl apply`. + The --force flag deletes and re-create the resource, + when PATCH encounters conflict and has retried + for 5 times. + type: boolean + type: object + hook: + description: Hook will submit any referenced resources + to perform the sync. This is the default strategy + properties: + force: + description: Force indicates whether or not to + supply the --force flag to `kubectl apply`. + The --force flag deletes and re-create the resource, + when PATCH encounters conflict and has retried + for 5 times. + type: boolean + type: object + type: object + type: object + type: object + phase: + description: Phase is the current phase of the operation + type: string + retryCount: + description: RetryCount contains time of operation retries + format: int64 + type: integer + startedAt: + description: StartedAt contains time of operation start + format: date-time + type: string + syncResult: + description: SyncResult is the result of a Sync operation + properties: + resources: + description: Resources contains a list of sync result items + for each individual resource in a sync operation + items: + description: ResourceResult holds the operation result details + of a specific resource + properties: + group: + description: Group specifies the API group of the resource + type: string + hookPhase: + description: HookPhase contains the state of any operation + associated with this resource OR hook This can also + contain values for non-hook resources. + type: string + hookType: + description: HookType specifies the type of the hook. + Empty for non-hook resources + type: string + kind: + description: Kind specifies the API kind of the resource + type: string + message: + description: Message contains an informational or error + message for the last sync OR operation + type: string + name: + description: Name specifies the name of the resource + type: string + namespace: + description: Namespace specifies the target namespace + of the resource + type: string + status: + description: Status holds the final result of the sync. + Will be empty if the resources is yet to be applied/pruned + and is always zero-value for hooks + type: string + syncPhase: + description: SyncPhase indicates the particular phase + of the sync that this result was acquired in + type: string + version: + description: Version specifies the API version of the + resource + type: string + required: + - group + - kind + - name + - namespace + - version + type: object + type: array + revision: + description: Revision holds the revision this sync operation + was performed to + type: string + revisions: + description: Revisions holds the revision this sync operation + was performed for respective indexed source in sources field + items: + type: string + type: array + source: + description: Source records the application source information + of the sync, used for comparing auto-sync + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match + paths against that should be explicitly excluded + from being used during manifest generation + type: string + include: + description: Include contains a glob pattern to match + paths against that should be explicitly included + during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to + the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm + template from failing when valueFiles do not exist + locally by not appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command upon + manifest generation + items: + description: HelmParameter is a parameter that's + passed to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm + parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all + domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name + to use. If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed + to helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for + templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation + values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to + force applying common labels to resources for Kustomize + apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry in the + application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array + type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type + parameter. + type: object + name: + description: Name is the name identifying a + parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within + sources field. This field will not be used if used with + a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git + or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the + source to sync the application to. In case of Git, this + can be commit, tag, or branch. If omitted, will equal + to HEAD. In case of Helm, this is a semver tag for the + Chart's version. + type: string + required: + - repoURL + type: object + sources: + description: Source records the application source information + of the sync, used for comparing auto-sync + items: + description: ApplicationSource contains all required information + about the source of an application + properties: + chart: + description: Chart is a Helm chart name, and must be + specified for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific + options + properties: + exclude: + description: Exclude contains a glob pattern to + match paths against that should be explicitly + excluded from being used during manifest generation + type: string + include: + description: Include contains a glob pattern to + match paths against that should be explicitly + included during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a + directory recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters + to the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm + parameter + type: string + path: + description: Path is the path to the file + containing the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm + template from failing when valueFiles do not exist + locally by not appending them to helm template + --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command + upon manifest generation + items: + description: HelmParameter is a parameter that's + passed to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm + parameter + type: string + value: + description: Value is the value for the Helm + parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to + all domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name + to use. If omitted it will use the application + name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value + files to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be + passed to helm template, typically defined as + a block + type: string + version: + description: Version is the Helm version to use + for templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies + whether to apply env variables substitution for + annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether + to force applying common labels to resources for + Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image + override specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to + resources for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to + resources for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git + repository, and is only valid for applications sourced + from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry in the + application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array + type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type + parameter. + type: object + name: + description: Name is the name identifying + a parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within + sources field. This field will not be used if used + with a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git + or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of + the source to sync the application to. In case of + Git, this can be commit, tag, or branch. If omitted, + will equal to HEAD. In case of Helm, this is a semver + tag for the Chart's version. + type: string + required: + - repoURL + type: object + type: array + required: + - revision + type: object + required: + - operation + - phase + - startedAt + type: object + reconciledAt: + description: ReconciledAt indicates when the application state was + reconciled using the latest git version + format: date-time + type: string + resourceHealthSource: + description: 'ResourceHealthSource indicates where the resource health + status is stored: inline if not set or appTree' + type: string + resources: + description: Resources is a list of Kubernetes resources managed by + this application + items: + description: 'ResourceStatus holds the current sync and health status + of a resource TODO: describe members of this type' + properties: + group: + type: string + health: + description: HealthStatus contains information about the currently + observed health state of an application or resource + properties: + message: + description: Message is a human-readable informational message + describing the health status + type: string + status: + description: Status holds the status code of the application + or resource + type: string + type: object + hook: + type: boolean + kind: + type: string + name: + type: string + namespace: + type: string + requiresPruning: + type: boolean + status: + description: SyncStatusCode is a type which represents possible + comparison results + type: string + syncWave: + format: int64 + type: integer + version: + type: string + type: object + type: array + sourceType: + description: SourceType specifies the type of this application + type: string + sourceTypes: + description: SourceTypes specifies the type of the sources included + in the application + items: + description: ApplicationSourceType specifies the type of the application's + source + type: string + type: array + summary: + description: Summary contains a list of URLs and container images + used by this application + properties: + externalURLs: + description: ExternalURLs holds all external URLs of application + child resources. + items: + type: string + type: array + images: + description: Images holds all images of application child resources. + items: + type: string + type: array + type: object + sync: + description: Sync contains information about the application's current + sync status + properties: + comparedTo: + description: ComparedTo contains information about what has been + compared + properties: + destination: + description: Destination is a reference to the application's + destination used for comparison + properties: + name: + description: Name is an alternate way of specifying the + target cluster by its symbolic name + type: string + namespace: + description: Namespace specifies the target namespace + for the application's resources. The namespace will + only be set for namespace-scoped resources that have + not set a value for .metadata.namespace + type: string + server: + description: Server specifies the URL of the target cluster + and must be set to the Kubernetes control plane API + type: string + type: object + source: + description: Source is a reference to the application's source + used for comparison + properties: + chart: + description: Chart is a Helm chart name, and must be specified + for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific options + properties: + exclude: + description: Exclude contains a glob pattern to match + paths against that should be explicitly excluded + from being used during manifest generation + type: string + include: + description: Include contains a glob pattern to match + paths against that should be explicitly included + during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a directory + recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters to + the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm parameter + type: string + path: + description: Path is the path to the file containing + the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm + template from failing when valueFiles do not exist + locally by not appending them to helm template --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command upon + manifest generation + items: + description: HelmParameter is a parameter that's + passed to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm parameter + type: string + value: + description: Value is the value for the Helm + parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to all + domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name + to use. If omitted it will use the application name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be passed + to helm template, typically defined as a block + type: string + version: + description: Version is the Helm version to use for + templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies whether + to apply env variables substitution for annotation + values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether to + force applying common labels to resources for Kustomize + apps + type: boolean + images: + description: Images is a list of Kustomize image override + specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git repository, + and is only valid for applications sourced from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry in the + application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array + type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type + parameter. + type: object + name: + description: Name is the name identifying a + parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within + sources field. This field will not be used if used with + a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git + or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of the + source to sync the application to. In case of Git, this + can be commit, tag, or branch. If omitted, will equal + to HEAD. In case of Helm, this is a semver tag for the + Chart's version. + type: string + required: + - repoURL + type: object + sources: + description: Sources is a reference to the application's multiple + sources used for comparison + items: + description: ApplicationSource contains all required information + about the source of an application + properties: + chart: + description: Chart is a Helm chart name, and must be + specified for applications sourced from a Helm repo. + type: string + directory: + description: Directory holds path/directory specific + options + properties: + exclude: + description: Exclude contains a glob pattern to + match paths against that should be explicitly + excluded from being used during manifest generation + type: string + include: + description: Include contains a glob pattern to + match paths against that should be explicitly + included during manifest generation + type: string + jsonnet: + description: Jsonnet holds options specific to Jsonnet + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + description: Additional library search dirs + items: + type: string + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar represents a variable + to be passed to jsonnet during manifest + generation + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + description: Recurse specifies whether to scan a + directory recursively for manifests + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + fileParameters: + description: FileParameters are file parameters + to the helm template + items: + description: HelmFileParameter is a file parameter + that's passed to helm template during manifest + generation + properties: + name: + description: Name is the name of the Helm + parameter + type: string + path: + description: Path is the path to the file + containing the values for the Helm parameter + type: string + type: object + type: array + ignoreMissingValueFiles: + description: IgnoreMissingValueFiles prevents helm + template from failing when valueFiles do not exist + locally by not appending them to helm template + --values + type: boolean + parameters: + description: Parameters is a list of Helm parameters + which are passed to the helm template command + upon manifest generation + items: + description: HelmParameter is a parameter that's + passed to helm template during manifest generation + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the Helm + parameter + type: string + value: + description: Value is the value for the Helm + parameter + type: string + type: object + type: array + passCredentials: + description: PassCredentials pass credentials to + all domains (Helm's --pass-credentials) + type: boolean + releaseName: + description: ReleaseName is the Helm release name + to use. If omitted it will use the application + name + type: string + skipCrds: + description: SkipCrds skips custom resource definition + installation step (Helm's --skip-crds) + type: boolean + valueFiles: + description: ValuesFiles is a list of Helm value + files to use when generating a template + items: + type: string + type: array + values: + description: Values specifies Helm values to be + passed to helm template, typically defined as + a block + type: string + version: + description: Version is the Helm version to use + for templating ("3") + type: string + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonAnnotations: + additionalProperties: + type: string + description: CommonAnnotations is a list of additional + annotations to add to rendered manifests + type: object + commonAnnotationsEnvsubst: + description: CommonAnnotationsEnvsubst specifies + whether to apply env variables substitution for + annotation values + type: boolean + commonLabels: + additionalProperties: + type: string + description: CommonLabels is a list of additional + labels to add to rendered manifests + type: object + forceCommonAnnotations: + description: ForceCommonAnnotations specifies whether + to force applying common annotations to resources + for Kustomize apps + type: boolean + forceCommonLabels: + description: ForceCommonLabels specifies whether + to force applying common labels to resources for + Kustomize apps + type: boolean + images: + description: Images is a list of Kustomize image + override specifications + items: + description: KustomizeImage represents a Kustomize + image definition in the format [old_image_name=]: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to + resources for Kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to + resources for Kustomize apps + type: string + namespace: + description: Namespace sets the namespace that Kustomize + adds to all resources + type: string + replicas: + description: Replicas is a list of Kustomize Replicas + override specifications + items: + properties: + count: + anyOf: + - type: integer + - type: string + description: Number of replicas + x-kubernetes-int-or-string: true + name: + description: Name of Deployment or StatefulSet + type: string + required: + - count + - name + type: object + type: array + version: + description: Version controls which version of Kustomize + to use for rendering manifests + type: string + type: object + path: + description: Path is a directory path within the Git + repository, and is only valid for applications sourced + from Git. + type: string + plugin: + description: Plugin holds config management plugin specific + options + properties: + env: + description: Env is a list of environment variable + entries + items: + description: EnvEntry represents an entry in the + application's environment + properties: + name: + description: Name is the name of the variable, + usually expressed in uppercase + type: string + value: + description: Value is the value of the variable + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + description: Array is the value of an array + type parameter. + items: + type: string + type: array + map: + additionalProperties: + type: string + description: Map is the value of a map type + parameter. + type: object + name: + description: Name is the name identifying + a parameter. + type: string + string: + description: String_ is the value of a string + type parameter. + type: string + type: object + type: array + type: object + ref: + description: Ref is reference to another source within + sources field. This field will not be used if used + with a `source` tag. + type: string + repoURL: + description: RepoURL is the URL to the repository (Git + or Helm) that contains the application manifests + type: string + targetRevision: + description: TargetRevision defines the revision of + the source to sync the application to. In case of + Git, this can be commit, tag, or branch. If omitted, + will equal to HEAD. In case of Helm, this is a semver + tag for the Chart's version. + type: string + required: + - repoURL + type: object + type: array + required: + - destination + type: object + revision: + description: Revision contains information about the revision + the comparison has been performed to + type: string + revisions: + description: Revisions contains information about the revisions + of multiple sources the comparison has been performed to + items: + type: string + type: array + status: + description: Status is the sync state of the comparison + type: string + required: + - status + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/CRDs/applicationsets.yaml b/CRDs/applicationsets.yaml new file mode 100644 index 000000000..b868cb00d --- /dev/null +++ b/CRDs/applicationsets.yaml @@ -0,0 +1,11671 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/name: applicationsets.argoproj.io + app.kubernetes.io/part-of: argocd + name: applicationsets.argoproj.io +spec: + group: argoproj.io + names: + kind: ApplicationSet + listKind: ApplicationSetList + plural: applicationsets + shortNames: + - appset + - appsets + singular: applicationset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + generators: + items: + properties: + clusterDecisionResource: + properties: + configMapRef: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + name: + type: string + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + required: + - configMapRef + type: object + clusters: + properties: + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + type: object + git: + properties: + directories: + items: + properties: + exclude: + type: boolean + path: + type: string + required: + - path + type: object + type: array + files: + items: + properties: + path: + type: string + required: + - path + type: object + type: array + pathParamPrefix: + type: string + repoURL: + type: string + requeueAfterSeconds: + format: int64 + type: integer + revision: + type: string + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + required: + - repoURL + - revision + type: object + list: + properties: + elements: + items: + x-kubernetes-preserve-unknown-fields: true + type: array + elementsYaml: + type: string + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + required: + - elements + type: object + matrix: + properties: + generators: + items: + properties: + clusterDecisionResource: + properties: + configMapRef: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + name: + type: string + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + required: + - configMapRef + type: object + clusters: + properties: + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + type: object + git: + properties: + directories: + items: + properties: + exclude: + type: boolean + path: + type: string + required: + - path + type: object + type: array + files: + items: + properties: + path: + type: string + required: + - path + type: object + type: array + pathParamPrefix: + type: string + repoURL: + type: string + requeueAfterSeconds: + format: int64 + type: integer + revision: + type: string + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + required: + - repoURL + - revision + type: object + list: + properties: + elements: + items: + x-kubernetes-preserve-unknown-fields: true + type: array + elementsYaml: + type: string + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + required: + - elements + type: object + matrix: + x-kubernetes-preserve-unknown-fields: true + merge: + x-kubernetes-preserve-unknown-fields: true + pullRequest: + properties: + bitbucketServer: + properties: + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + repo: + type: string + required: + - api + - project + - repo + type: object + filters: + items: + properties: + branchMatch: + type: string + targetBranchMatch: + type: string + type: object + type: array + gitea: + properties: + api: + type: string + insecure: + type: boolean + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + - repo + type: object + github: + properties: + api: + type: string + appSecretName: + type: string + labels: + items: + type: string + type: array + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - owner + - repo + type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + type: object + scmProvider: + properties: + awsCodeCommit: + properties: + allBranches: + type: boolean + region: + type: string + role: + type: string + tagFilters: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + type: object + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object + bitbucket: + properties: + allBranches: + type: boolean + appPasswordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + owner: + type: string + user: + type: string + required: + - appPasswordRef + - owner + - user + type: object + bitbucketServer: + properties: + allBranches: + type: boolean + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + required: + - api + - project + type: object + cloneProtocol: + type: string + filters: + items: + properties: + branchMatch: + type: string + labelMatch: + type: string + pathsDoNotExist: + items: + type: string + type: array + pathsExist: + items: + type: string + type: array + repositoryMatch: + type: string + type: object + type: array + gitea: + properties: + allBranches: + type: boolean + api: + type: string + insecure: + type: boolean + owner: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + type: object + github: + properties: + allBranches: + type: boolean + api: + type: string + appSecretName: + type: string + organization: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - organization + type: object + gitlab: + properties: + allBranches: + type: boolean + api: + type: string + group: + type: string + includeSubgroups: + type: boolean + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - group + type: object + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + required: + - generators + type: object + merge: + properties: + generators: + items: + properties: + clusterDecisionResource: + properties: + configMapRef: + type: string + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + name: + type: string + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + required: + - configMapRef + type: object + clusters: + properties: + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + type: object + git: + properties: + directories: + items: + properties: + exclude: + type: boolean + path: + type: string + required: + - path + type: object + type: array + files: + items: + properties: + path: + type: string + required: + - path + type: object + type: array + pathParamPrefix: + type: string + repoURL: + type: string + requeueAfterSeconds: + format: int64 + type: integer + revision: + type: string + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + required: + - repoURL + - revision + type: object + list: + properties: + elements: + items: + x-kubernetes-preserve-unknown-fields: true + type: array + elementsYaml: + type: string + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + required: + - elements + type: object + matrix: + x-kubernetes-preserve-unknown-fields: true + merge: + x-kubernetes-preserve-unknown-fields: true + pullRequest: + properties: + bitbucketServer: + properties: + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + repo: + type: string + required: + - api + - project + - repo + type: object + filters: + items: + properties: + branchMatch: + type: string + targetBranchMatch: + type: string + type: object + type: array + gitea: + properties: + api: + type: string + insecure: + type: boolean + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + - repo + type: object + github: + properties: + api: + type: string + appSecretName: + type: string + labels: + items: + type: string + type: array + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - owner + - repo + type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + type: object + scmProvider: + properties: + awsCodeCommit: + properties: + allBranches: + type: boolean + region: + type: string + role: + type: string + tagFilters: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + type: object + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object + bitbucket: + properties: + allBranches: + type: boolean + appPasswordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + owner: + type: string + user: + type: string + required: + - appPasswordRef + - owner + - user + type: object + bitbucketServer: + properties: + allBranches: + type: boolean + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + required: + - api + - project + type: object + cloneProtocol: + type: string + filters: + items: + properties: + branchMatch: + type: string + labelMatch: + type: string + pathsDoNotExist: + items: + type: string + type: array + pathsExist: + items: + type: string + type: array + repositoryMatch: + type: string + type: object + type: array + gitea: + properties: + allBranches: + type: boolean + api: + type: string + insecure: + type: boolean + owner: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + type: object + github: + properties: + allBranches: + type: boolean + api: + type: string + appSecretName: + type: string + organization: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - organization + type: object + gitlab: + properties: + allBranches: + type: boolean + api: + type: string + group: + type: string + includeSubgroups: + type: boolean + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - group + type: object + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + mergeKeys: + items: + type: string + type: array + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + required: + - generators + - mergeKeys + type: object + pullRequest: + properties: + bitbucketServer: + properties: + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + repo: + type: string + required: + - api + - project + - repo + type: object + filters: + items: + properties: + branchMatch: + type: string + targetBranchMatch: + type: string + type: object + type: array + gitea: + properties: + api: + type: string + insecure: + type: boolean + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + - repo + type: object + github: + properties: + api: + type: string + appSecretName: + type: string + labels: + items: + type: string + type: array + owner: + type: string + repo: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - owner + - repo + type: object + gitlab: + properties: + api: + type: string + labels: + items: + type: string + type: array + project: + type: string + pullRequestState: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - project + type: object + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + type: object + scmProvider: + properties: + awsCodeCommit: + properties: + allBranches: + type: boolean + region: + type: string + role: + type: string + tagFilters: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + type: object + azureDevOps: + properties: + accessTokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + allBranches: + type: boolean + api: + type: string + organization: + type: string + teamProject: + type: string + required: + - accessTokenRef + - organization + - teamProject + type: object + bitbucket: + properties: + allBranches: + type: boolean + appPasswordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + owner: + type: string + user: + type: string + required: + - appPasswordRef + - owner + - user + type: object + bitbucketServer: + properties: + allBranches: + type: boolean + api: + type: string + basicAuth: + properties: + passwordRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + username: + type: string + required: + - passwordRef + - username + type: object + project: + type: string + required: + - api + - project + type: object + cloneProtocol: + type: string + filters: + items: + properties: + branchMatch: + type: string + labelMatch: + type: string + pathsDoNotExist: + items: + type: string + type: array + pathsExist: + items: + type: string + type: array + repositoryMatch: + type: string + type: object + type: array + gitea: + properties: + allBranches: + type: boolean + api: + type: string + insecure: + type: boolean + owner: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - api + - owner + type: object + github: + properties: + allBranches: + type: boolean + api: + type: string + appSecretName: + type: string + organization: + type: string + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - organization + type: object + gitlab: + properties: + allBranches: + type: boolean + api: + type: string + group: + type: string + includeSubgroups: + type: boolean + tokenRef: + properties: + key: + type: string + secretName: + type: string + required: + - key + - secretName + type: object + required: + - group + type: object + requeueAfterSeconds: + format: int64 + type: integer + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + values: + additionalProperties: + type: string + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + goTemplate: + type: boolean + goTemplateOptions: + items: + type: string + type: array + preservedFields: + properties: + annotations: + items: + type: string + type: array + type: object + strategy: + properties: + rollingSync: + properties: + steps: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + type: object + type: array + maxUpdate: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + type: object + type: + type: string + type: object + syncPolicy: + properties: + preserveResourcesOnDeletion: + type: boolean + type: object + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + properties: + destination: + properties: + name: + type: string + namespace: + type: string + server: + type: string + type: object + ignoreDifferences: + items: + properties: + group: + type: string + jqPathExpressions: + items: + type: string + type: array + jsonPointers: + items: + type: string + type: array + kind: + type: string + managedFieldsManagers: + items: + type: string + type: array + name: + type: string + namespace: + type: string + required: + - kind + type: object + type: array + info: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + type: string + revisionHistoryLimit: + format: int64 + type: integer + source: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + sources: + items: + properties: + chart: + type: string + directory: + properties: + exclude: + type: string + include: + type: string + jsonnet: + properties: + extVars: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + libs: + items: + type: string + type: array + tlas: + items: + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + properties: + fileParameters: + items: + properties: + name: + type: string + path: + type: string + type: object + type: array + ignoreMissingValueFiles: + type: boolean + parameters: + items: + properties: + forceString: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + passCredentials: + type: boolean + releaseName: + type: string + skipCrds: + type: boolean + valueFiles: + items: + type: string + type: array + values: + type: string + version: + type: string + type: object + kustomize: + properties: + commonAnnotations: + additionalProperties: + type: string + type: object + commonAnnotationsEnvsubst: + type: boolean + commonLabels: + additionalProperties: + type: string + type: object + forceCommonAnnotations: + type: boolean + forceCommonLabels: + type: boolean + images: + items: + type: string + type: array + namePrefix: + type: string + nameSuffix: + type: string + namespace: + type: string + replicas: + items: + properties: + count: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + name: + type: string + required: + - count + - name + type: object + type: array + version: + type: string + type: object + path: + type: string + plugin: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + name: + type: string + parameters: + items: + properties: + array: + items: + type: string + type: array + map: + additionalProperties: + type: string + type: object + name: + type: string + string: + type: string + type: object + type: array + type: object + ref: + type: string + repoURL: + type: string + targetRevision: + type: string + required: + - repoURL + type: object + type: array + syncPolicy: + properties: + automated: + properties: + allowEmpty: + type: boolean + prune: + type: boolean + selfHeal: + type: boolean + type: object + managedNamespaceMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + retry: + properties: + backoff: + properties: + duration: + type: string + factor: + format: int64 + type: integer + maxDuration: + type: string + type: object + limit: + format: int64 + type: integer + type: object + syncOptions: + items: + type: string + type: array + type: object + required: + - destination + - project + type: object + required: + - metadata + - spec + type: object + required: + - generators + - template + type: object + status: + properties: + applicationStatus: + items: + properties: + application: + type: string + lastTransitionTime: + format: date-time + type: string + message: + type: string + status: + type: string + step: + type: string + required: + - application + - message + - status + - step + type: object + type: array + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - message + - reason + - status + - type + type: object + type: array + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/CRDs/appprojects.yaml b/CRDs/appprojects.yaml new file mode 100644 index 000000000..9fdc4e317 --- /dev/null +++ b/CRDs/appprojects.yaml @@ -0,0 +1,322 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/name: appprojects.argoproj.io + app.kubernetes.io/part-of: argocd + name: appprojects.argoproj.io +spec: + group: argoproj.io + names: + kind: AppProject + listKind: AppProjectList + plural: appprojects + shortNames: + - appproj + - appprojs + singular: appproject + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: 'AppProject provides a logical grouping of applications, providing + controls for: * where the apps may deploy to (cluster whitelist) * what + may be deployed (repository whitelist, resource whitelist/blacklist) * who + can access these applications (roles, OIDC group claims bindings) * and + what they can do (RBAC policies) * automation access to these roles (JWT + tokens)' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AppProjectSpec is the specification of an AppProject + properties: + clusterResourceBlacklist: + description: ClusterResourceBlacklist contains list of blacklisted + cluster level resources + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + clusterResourceWhitelist: + description: ClusterResourceWhitelist contains list of whitelisted + cluster level resources + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + description: + description: Description contains optional project description + type: string + destinations: + description: Destinations contains list of destinations available + for deployment + items: + description: ApplicationDestination holds information about the + application's destination + properties: + name: + description: Name is an alternate way of specifying the target + cluster by its symbolic name + type: string + namespace: + description: Namespace specifies the target namespace for the + application's resources. The namespace will only be set for + namespace-scoped resources that have not set a value for .metadata.namespace + type: string + server: + description: Server specifies the URL of the target cluster + and must be set to the Kubernetes control plane API + type: string + type: object + type: array + namespaceResourceBlacklist: + description: NamespaceResourceBlacklist contains list of blacklisted + namespace level resources + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + namespaceResourceWhitelist: + description: NamespaceResourceWhitelist contains list of whitelisted + namespace level resources + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + orphanedResources: + description: OrphanedResources specifies if controller should monitor + orphaned resources of apps in this project + properties: + ignore: + description: Ignore contains a list of resources that are to be + excluded from orphaned resources monitoring + items: + description: OrphanedResourceKey is a reference to a resource + to be ignored from + properties: + group: + type: string + kind: + type: string + name: + type: string + type: object + type: array + warn: + description: Warn indicates if warning condition should be created + for apps which have orphaned resources + type: boolean + type: object + permitOnlyProjectScopedClusters: + description: PermitOnlyProjectScopedClusters determines whether destinations + can only reference clusters which are project-scoped + type: boolean + roles: + description: Roles are user defined RBAC roles associated with this + project + items: + description: ProjectRole represents a role that has access to a + project + properties: + description: + description: Description is a description of the role + type: string + groups: + description: Groups are a list of OIDC group claims bound to + this role + items: + type: string + type: array + jwtTokens: + description: JWTTokens are a list of generated JWT tokens bound + to this role + items: + description: JWTToken holds the issuedAt and expiresAt values + of a token + properties: + exp: + format: int64 + type: integer + iat: + format: int64 + type: integer + id: + type: string + required: + - iat + type: object + type: array + name: + description: Name is a name for this role + type: string + policies: + description: Policies Stores a list of casbin formatted strings + that define access policies for the role in the project + items: + type: string + type: array + required: + - name + type: object + type: array + signatureKeys: + description: SignatureKeys contains a list of PGP key IDs that commits + in Git must be signed with in order to be allowed for sync + items: + description: SignatureKey is the specification of a key required + to verify commit signatures with + properties: + keyID: + description: The ID of the key in hexadecimal notation + type: string + required: + - keyID + type: object + type: array + sourceNamespaces: + description: SourceNamespaces defines the namespaces application resources + are allowed to be created in + items: + type: string + type: array + sourceRepos: + description: SourceRepos contains list of repository URLs which can + be used for deployment + items: + type: string + type: array + syncWindows: + description: SyncWindows controls when syncs can be run for apps in + this project + items: + description: SyncWindow contains the kind, time, duration and attributes + that are used to assign the syncWindows to apps + properties: + applications: + description: Applications contains a list of applications that + the window will apply to + items: + type: string + type: array + clusters: + description: Clusters contains a list of clusters that the window + will apply to + items: + type: string + type: array + duration: + description: Duration is the amount of time the sync window + will be open + type: string + kind: + description: Kind defines if the window allows or blocks syncs + type: string + manualSync: + description: ManualSync enables manual syncs when they would + otherwise be blocked + type: boolean + namespaces: + description: Namespaces contains a list of namespaces that the + window will apply to + items: + type: string + type: array + schedule: + description: Schedule is the time the window will begin, specified + in cron format + type: string + timeZone: + description: TimeZone of the sync that will be applied to the + schedule + type: string + type: object + type: array + type: object + status: + description: AppProjectStatus contains status information for AppProject + CRs + properties: + jwtTokensByRole: + additionalProperties: + description: JWTTokens represents a list of JWT tokens + properties: + items: + items: + description: JWTToken holds the issuedAt and expiresAt values + of a token + properties: + exp: + format: int64 + type: integer + iat: + format: int64 + type: integer + id: + type: string + required: + - iat + type: object + type: array + type: object + description: JWTTokensByRole contains a list of JWT tokens issued + for a given role + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/CRDs/certificates.yaml b/CRDs/certificates.yaml new file mode 100644 index 000000000..6fde71819 --- /dev/null +++ b/CRDs/certificates.yaml @@ -0,0 +1,368 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io + labels: + app: certificates.cert-manager.io + app.kubernetes.io/name: certificates.cert-manager.io +spec: + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + categories: + - cert-manager + scope: Namespaced + versions: + - name: v1 + subresources: + status: {} + additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .spec.secretName + name: Secret + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + name: Age + type: date + schema: + openAPIV3Schema: + description: "A Certificate resource should be created to ensure an up to date and signed x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." + type: object + required: + - spec + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Certificate resource. + type: object + required: + - issuerRef + - secretName + properties: + additionalOutputFormats: + description: AdditionalOutputFormats defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option on both the controller and webhook components. + type: array + items: + description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. + type: object + required: + - type + properties: + type: + description: Type is the name of the format type that should be written to the Certificate's target Secret. + type: string + enum: + - DER + - CombinedPEM + commonName: + description: 'CommonName is a common name to be used on the Certificate. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs. This value is ignored by TLS clients when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of DNS subjectAltNames to be set on the Certificate. + type: array + items: + type: string + duration: + description: The requested 'duration' (i.e. lifetime) of the Certificate. This option may be ignored/overridden by some issuer types. If unset this defaults to 90 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + emailAddresses: + description: EmailAddresses is a list of email subjectAltNames to be set on the Certificate. + type: array + items: + type: string + encodeUsagesInRequest: + description: EncodeUsagesInRequest controls whether key usages should be present in the CertificateRequest + type: boolean + ipAddresses: + description: IPAddresses is a list of IP address subjectAltNames to be set on the Certificate. + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for certificate signing. This will automatically add the `cert sign` usage to the list of `usages`. + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. If the `kind` field is not set, or set to `Issuer`, an Issuer resource with the given name in the same namespace as the Certificate will be used. If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the provided name will be used. The `name` field in this stanza is required at all times. + type: object + required: + - name + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + keystores: + description: Keystores configures additional keystore output formats stored in the `secretName` Secret resource. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + literalSubject: + description: LiteralSubject is an LDAP formatted string that represents the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). Use this *instead* of the Subject field if you need to ensure the correct ordering of the RDN sequence, such as when issuing certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, https://github.com/cert-manager/cert-manager/issues/4424. This field is alpha level and is only supported by cert-manager installations where LiteralCertificateSubject feature gate is enabled on both cert-manager controller and webhook. + type: string + privateKey: + description: Options to control private keys used for the Certificate. + type: object + properties: + algorithm: + description: Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. + type: string + enum: + - RSA + - ECDSA + - Ed25519 + encoding: + description: The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified. + type: string + enum: + - PKCS1 + - PKCS8 + rotationPolicy: + description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility. + type: string + enum: + - Never + - Always + size: + description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. + type: integer + renewBefore: + description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration + type: string + revisionHistoryLimit: + description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`. + type: integer + format: int32 + secretName: + description: SecretName is the name of the secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. + type: string + secretTemplate: + description: SecretTemplate defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. + type: object + properties: + annotations: + description: Annotations is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + labels: + description: Labels is a key value map to be copied to the target Kubernetes Secret. + type: object + additionalProperties: + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uris: + description: URIs is a list of URI subjectAltNames to be set on the Certificate. + type: array + items: + type: string + usages: + description: Usages is the set of x509 usages that are requested for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. + type: array + items: + description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: Status of the Certificate. This is set and managed automatically. + type: object + properties: + conditions: + description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. + type: array + items: + description: CertificateCondition contains condition information for an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details of the last transition, complementing reason. + type: string + observedGeneration: + description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. + type: integer + format: int64 + reason: + description: Reason is a brief machine readable explanation for the condition's last transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, known values are (`Ready`, `Issuing`). + type: string + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + failedIssuanceAttempts: + description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). + type: integer + lastFailureTime: + description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. + type: string + format: date-time + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. + type: string + format: date-time + notBefore: + description: The time after which the certificate stored in the secret named by this resource in spec.secretName is valid. + type: string + format: date-time + renewalTime: + description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. + type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." + type: integer + served: true + storage: true \ No newline at end of file diff --git a/CRDs/cluster.yaml b/CRDs/cluster.yaml new file mode 100644 index 000000000..2014a2c92 --- /dev/null +++ b/CRDs/cluster.yaml @@ -0,0 +1,487 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + generation: 1 + name: clusters.provisioning.cattle.io +spec: + conversion: + strategy: None + group: provisioning.cattle.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + singular: cluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.ready + name: Ready + type: string + - jsonPath: .status.clientSecretName + name: Kubeconfig + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + rkeConfig: + nullable: true + properties: + machinePools: + items: + properties: + cloudCredentialSecretName: + nullable: true + type: string + controlPlaneRole: + type: boolean + displayName: + nullable: true + type: string + drainBeforeDelete: + type: boolean + drainBeforeDeleteTimeout: + nullable: true + type: string + dynamicSchemaSpec: + nullable: true + type: string + etcdRole: + type: boolean + hostnameLengthLimit: + type: integer + labels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + machineConfigRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + kind: + nullable: true + type: string + name: + nullable: true + type: string + namespace: + nullable: true + type: string + resourceVersion: + nullable: true + type: string + uid: + nullable: true + type: string + type: object + machineDeploymentAnnotations: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + machineDeploymentLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + machineOS: + nullable: true + type: string + maxUnhealthy: + nullable: true + type: string + name: + nullable: true + type: string + nodeStartupTimeout: + nullable: true + type: string + paused: + type: boolean + quantity: + nullable: true + type: integer + rollingUpdate: + nullable: true + properties: + maxSurge: + nullable: true + type: string + maxUnavailable: + nullable: true + type: string + type: object + taints: + items: + properties: + effect: + nullable: true + type: string + key: + nullable: true + type: string + timeAdded: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + unhealthyNodeTimeout: + nullable: true + type: string + unhealthyRange: + nullable: true + type: string + workerRole: + type: boolean + required: + - machineConfigRef + - name + type: object + nullable: true + type: array + machineSelectorConfig: + items: + properties: + config: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + machineLabelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + type: object + nullable: true + type: array + machineSelectorFiles: + items: + properties: + fileSources: + items: + properties: + configMap: + properties: + defaultPermissions: + nullable: true + type: string + items: + items: + properties: + dynamic: + type: boolean + hash: + nullable: true + type: string + key: + nullable: true + type: string + path: + nullable: true + type: string + permissions: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + type: object + secret: + properties: + defaultPermissions: + nullable: true + type: string + items: + items: + properties: + dynamic: + type: boolean + hash: + nullable: true + type: string + key: + nullable: true + type: string + path: + nullable: true + type: string + permissions: + nullable: true + type: string + type: object + nullable: true + type: array + name: + nullable: true + type: string + type: object + type: object + nullable: true + type: array + machineLabelSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + type: object + nullable: true + type: array + provisionGeneration: + type: integer + registries: + nullable: true + properties: + configs: + additionalProperties: + properties: + authConfigSecretName: + nullable: true + type: string + caBundle: + nullable: true + type: string + insecureSkipVerify: + type: boolean + tlsSecretName: + nullable: true + type: string + type: object + nullable: true + type: object + mirrors: + additionalProperties: + properties: + endpoint: + items: + nullable: true + type: string + nullable: true + type: array + rewrite: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + nullable: true + type: object + type: object + rotateCertificates: + nullable: true + properties: + generation: + type: integer + services: + items: + nullable: true + type: string + nullable: true + type: array + type: object + rotateEncryptionKeys: + nullable: true + properties: + generation: + type: integer + type: object + upgradeStrategy: + properties: + controlPlaneConcurrency: + nullable: true + type: string + controlPlaneDrainOptions: + properties: + deleteEmptyDirData: + type: boolean + disableEviction: + type: boolean + enabled: + type: boolean + force: + type: boolean + gracePeriod: + type: integer + ignoreDaemonSets: + nullable: true + type: boolean + ignoreErrors: + type: boolean + postDrainHooks: + items: + properties: + annotation: + nullable: true + type: string + type: object + nullable: true + type: array + preDrainHooks: + items: + properties: + annotation: + nullable: true + type: string + type: object + nullable: true + type: array + skipWaitForDeleteTimeoutSeconds: + type: integer + timeout: + type: integer + type: object + workerConcurrency: + nullable: true + type: string + workerDrainOptions: + properties: + deleteEmptyDirData: + type: boolean + disableEviction: + type: boolean + enabled: + type: boolean + force: + type: boolean + gracePeriod: + type: integer + ignoreDaemonSets: + nullable: true + type: boolean + ignoreErrors: + type: boolean + postDrainHooks: + items: + properties: + annotation: + nullable: true + type: string + type: object + nullable: true + type: array + preDrainHooks: + items: + properties: + annotation: + nullable: true + type: string + type: object + nullable: true + type: array + skipWaitForDeleteTimeoutSeconds: + type: integer + timeout: + type: integer + type: object + type: object + type: object + type: object + status: + properties: + agentDeployed: + type: boolean + clientSecretName: + nullable: true + type: string + clusterName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + observedGeneration: + type: integer + ready: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/CRDs/externalsecrets.yaml b/CRDs/externalsecrets.yaml new file mode 100644 index 000000000..8cf533cc6 --- /dev/null +++ b/CRDs/externalsecrets.yaml @@ -0,0 +1,694 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + name: externalsecrets.external-secrets.io +spec: + group: external-secrets.io + names: + categories: + - externalsecrets + kind: ExternalSecret + listKind: ExternalSecretList + plural: externalsecrets + shortNames: + - es + singular: externalsecret + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.secretStoreRef.name + name: Store + type: string + - jsonPath: .spec.refreshInterval + name: Refresh Interval + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + deprecated: true + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExternalSecret is the Schema for the external-secrets API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExternalSecretSpec defines the desired state of ExternalSecret. + properties: + data: + description: Data defines the connection between the Kubernetes Secret + keys and the Provider data + items: + description: ExternalSecretData defines the connection between the + Kubernetes Secret key (spec.data.) and the Provider data. + properties: + remoteRef: + description: ExternalSecretDataRemoteRef defines Provider data + location. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + secretKey: + type: string + required: + - remoteRef + - secretKey + type: object + type: array + dataFrom: + description: DataFrom is used to fetch all properties from a specific + Provider data If multiple entries are specified, the Secret keys + are merged in the specified order + items: + description: ExternalSecretDataRemoteRef defines Provider data location. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + type: array + refreshInterval: + default: 1h + description: RefreshInterval is the amount of time before the values + are read again from the SecretStore provider Valid time units are + "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to + fetch and create it once. Defaults to 1h. + type: string + secretStoreRef: + description: SecretStoreRef defines which SecretStore to fetch the + ExternalSecret data. + properties: + kind: + description: Kind of the SecretStore resource (SecretStore or + ClusterSecretStore) Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + target: + description: ExternalSecretTarget defines the Kubernetes Secret to + be created There can be only one target per ExternalSecret. + properties: + creationPolicy: + default: Owner + description: CreationPolicy defines rules on how to create the + resulting Secret Defaults to 'Owner' + type: string + immutable: + description: Immutable defines if the final secret will be immutable + type: boolean + name: + description: Name defines the name of the Secret resource to be + managed This field is immutable Defaults to the .metadata.name + of the ExternalSecret resource + type: string + template: + description: Template defines a blueprint for the created Secret + resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v1 + description: EngineVersion specifies the template engine version + that should be used to compile/execute the template specified + in .data and .templateFrom[]. + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata + fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + maxProperties: 1 + minProperties: 1 + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + type: object + type: array + type: + type: string + type: object + type: object + required: + - secretStoreRef + - target + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + refreshTime: + description: refreshTime is the time and date the external secret + was fetched and the target secret updated + format: date-time + nullable: true + type: string + syncedResourceVersion: + description: SyncedResourceVersion keeps track of the last synced + version + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.secretStoreRef.name + name: Store + type: string + - jsonPath: .spec.refreshInterval + name: Refresh Interval + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].reason + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: ExternalSecret is the Schema for the external-secrets API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExternalSecretSpec defines the desired state of ExternalSecret. + properties: + data: + description: Data defines the connection between the Kubernetes Secret + keys and the Provider data + items: + description: ExternalSecretData defines the connection between the + Kubernetes Secret key (spec.data.) and the Provider data. + properties: + remoteRef: + description: RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + metadataPolicy: + description: Policy for fetching tags/labels from provider + secrets, possible options are Fetch, None. Defaults to + None + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + secretKey: + description: SecretKey defines the key in which the controller + stores the value. This is the key in the Kind=Secret + type: string + sourceRef: + description: SourceRef allows you to override the source from + which the value will pulled from. + maxProperties: 1 + properties: + generatorRef: + description: GeneratorRef points to a generator custom resource + in + properties: + apiVersion: + default: generators.external-secrets.io/v1alpha1 + description: Specify the apiVersion of the generator + resource + type: string + kind: + description: Specify the Kind of the resource, e.g. + Password, ACRAccessToken etc. + type: string + name: + description: Specify the name of the generator resource + type: string + required: + - kind + - name + type: object + storeRef: + description: SecretStoreRef defines which SecretStore to + fetch the ExternalSecret data. + properties: + kind: + description: Kind of the SecretStore resource (SecretStore + or ClusterSecretStore) Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + type: object + required: + - remoteRef + - secretKey + type: object + type: array + dataFrom: + description: DataFrom is used to fetch all properties from a specific + Provider data If multiple entries are specified, the Secret keys + are merged in the specified order + items: + properties: + extract: + description: 'Used to extract multiple key/value pairs from + one secret Note: Extract does not support sourceRef.Generator + or sourceRef.GeneratorRef.' + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + type: string + key: + description: Key is the key used in the Provider, mandatory + type: string + metadataPolicy: + description: Policy for fetching tags/labels from provider + secrets, possible options are Fetch, None. Defaults to + None + type: string + property: + description: Used to select a specific property of the Provider + value (if a map), if supported + type: string + version: + description: Used to select a specific version of the Provider + value, if supported + type: string + required: + - key + type: object + find: + description: 'Used to find secrets based on tags or regular + expressions Note: Find does not support sourceRef.Generator + or sourceRef.GeneratorRef.' + properties: + conversionStrategy: + default: Default + description: Used to define a conversion Strategy + type: string + decodingStrategy: + default: None + description: Used to define a decoding Strategy + type: string + name: + description: Finds secrets based on the name. + properties: + regexp: + description: Finds secrets base + type: string + type: object + path: + description: A root path to start the find operations. + type: string + tags: + additionalProperties: + type: string + description: Find secrets based on tags. + type: object + type: object + rewrite: + description: Used to rewrite secret Keys after getting them + from the secret Provider Multiple Rewrite operations can be + provided. They are applied in a layered order (first to last) + items: + properties: + regexp: + description: Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll + operation. + properties: + source: + description: Used to define the regular expression + of a re.Compiler. + type: string + target: + description: Used to define the target pattern of + a ReplaceAll operation. + type: string + required: + - source + - target + type: object + type: object + type: array + sourceRef: + description: SourceRef points to a store or generator which + contains secret values ready to use. Use this in combination + with Extract or Find pull values out of a specific SecretStore. + When sourceRef points to a generator Extract or Find is not + supported. The generator returns a static map of values + maxProperties: 1 + properties: + generatorRef: + description: GeneratorRef points to a generator custom resource + in + properties: + apiVersion: + default: generators.external-secrets.io/v1alpha1 + description: Specify the apiVersion of the generator + resource + type: string + kind: + description: Specify the Kind of the resource, e.g. + Password, ACRAccessToken etc. + type: string + name: + description: Specify the name of the generator resource + type: string + required: + - kind + - name + type: object + storeRef: + description: SecretStoreRef defines which SecretStore to + fetch the ExternalSecret data. + properties: + kind: + description: Kind of the SecretStore resource (SecretStore + or ClusterSecretStore) Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + type: object + type: object + type: array + refreshInterval: + default: 1h + description: RefreshInterval is the amount of time before the values + are read again from the SecretStore provider Valid time units are + "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to + fetch and create it once. Defaults to 1h. + type: string + secretStoreRef: + description: SecretStoreRef defines which SecretStore to fetch the + ExternalSecret data. + properties: + kind: + description: Kind of the SecretStore resource (SecretStore or + ClusterSecretStore) Defaults to `SecretStore` + type: string + name: + description: Name of the SecretStore resource + type: string + required: + - name + type: object + target: + default: + creationPolicy: Owner + deletionPolicy: Retain + description: ExternalSecretTarget defines the Kubernetes Secret to + be created There can be only one target per ExternalSecret. + properties: + creationPolicy: + default: Owner + description: CreationPolicy defines rules on how to create the + resulting Secret Defaults to 'Owner' + enum: + - Owner + - Orphan + - Merge + - None + type: string + deletionPolicy: + default: Retain + description: DeletionPolicy defines rules on how to delete the + resulting Secret Defaults to 'Retain' + enum: + - Delete + - Merge + - Retain + type: string + immutable: + description: Immutable defines if the final secret will be immutable + type: boolean + name: + description: Name defines the name of the Secret resource to be + managed This field is immutable Defaults to the .metadata.name + of the ExternalSecret resource + type: string + template: + description: Template defines a blueprint for the created Secret + resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v2 + type: string + mergePolicy: + default: Replace + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata + fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + literal: + type: string + secret: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + target: + default: Data + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + refreshTime: + description: refreshTime is the time and date the external secret + was fetched and the target secret updated + format: date-time + nullable: true + type: string + syncedResourceVersion: + description: SyncedResourceVersion keeps track of the last synced + version + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/CRDs/flux-repositories.yaml b/CRDs/flux-repositories.yaml new file mode 100644 index 000000000..9bc55e184 --- /dev/null +++ b/CRDs/flux-repositories.yaml @@ -0,0 +1,2656 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: buckets.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: Bucket + listKind: BucketList + plural: buckets + singular: bucket + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BucketSpec defines the desired state of an S3 compatible + bucket + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: The bucket name. + type: string + endpoint: + description: The bucket endpoint address. + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. + type: boolean + interval: + description: The interval at which to check for bucket updates. + type: string + provider: + default: generic + description: The S3 compatible storage provider name, default ('generic'). + enum: + - generic + - aws + - gcp + type: string + region: + description: The bucket region. + type: string + secretRef: + description: The name of the secret containing authentication credentials + for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for download operations, defaults to 60s. + type: string + required: + - bucketName + - endpoint + - interval + type: object + status: + default: + observedGeneration: -1 + description: BucketStatus defines the observed state of a bucket + properties: + artifact: + description: Artifact represents the output of the last successful + Bucket sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the artifact output of the + last Bucket sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: Bucket is the Schema for the buckets API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BucketSpec specifies the required configuration to produce + an Artifact for an object storage bucket. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + bucketName: + description: BucketName is the name of the object storage bucket. + type: string + endpoint: + description: Endpoint is the object storage address the BucketName + is located at. + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + insecure: + description: Insecure allows connecting to a non-TLS HTTP Endpoint. + type: boolean + interval: + description: Interval at which to check the Endpoint for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + provider: + default: generic + description: Provider of the object storage bucket. Defaults to 'generic', + which expects an S3 (API) compatible object storage. + enum: + - generic + - aws + - gcp + - azure + type: string + region: + description: Region of the Endpoint where the BucketName is located + in. + type: string + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the Bucket. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this Bucket. + type: boolean + timeout: + default: 60s + description: Timeout for fetch operations, defaults to 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + required: + - bucketName + - endpoint + - interval + type: object + status: + default: + observedGeneration: -1 + description: BucketStatus records the observed state of a Bucket. + properties: + artifact: + description: Artifact represents the last successful Bucket reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the Bucket. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the Bucket object. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: gitrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: GitRepository + listKind: GitRepositoryList + plural: gitrepositories + shortNames: + - gitrepo + singular: gitrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitRepositorySpec specifies the required configuration to + produce an Artifact for a Git repository. + properties: + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + include: + description: Include specifies a list of GitRepository resources which + Artifacts should be included in the Artifact produced for this GitRepository. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: Interval at which to check the GitRepository for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + recurseSubmodules: + description: RecurseSubmodules enables the initialization of all submodules + within the GitRepository as cloned from the URL, using their default + settings. + type: boolean + ref: + description: Reference specifies the Git reference to resolve and + monitor for changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: "Commit SHA to check out, takes precedence over all + reference fields. \n This can be combined with Branch to shallow + clone the branch, in which the commit is expected to exist." + type: string + name: + description: "Name of the reference to check out; takes precedence + over Branch, Tag and SemVer. \n It must be a valid Git reference: + https://git-scm.com/docs/git-check-ref-format#_description Examples: + \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", + \"refs/merge-requests/1/head\"" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the GitRepository. For HTTPS repositories the Secret + must contain 'username' and 'password' fields for basic auth or + 'bearerToken' field for token auth. For SSH repositories the Secret + must contain 'identity' and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verification specifies the configuration to verify the + Git commit signature(s). + properties: + mode: + description: Mode specifies what Git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: SecretRef specifies the Secret containing the public + keys of trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: IncludedArtifacts contains a list of the last successfully + included Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: Path is the relative file path of the Artifact. + It can be used to locate the file in the root of the Artifact + storage on the local file system of the controller managing + the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the GitRepository object. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + observedInclude: + description: ObservedInclude is the observed list of GitRepository + resources used to produce the current Artifact. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 + name: v1beta1 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitRepositorySpec defines the desired state of a Git repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: Determines which git client library to use. Defaults + to go-git, valid values are ('go-git', 'libgit2'). + enum: + - go-git + - libgit2 + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + include: + description: Extra git repositories to map into the repository + items: + description: GitRepositoryInclude defines a source with a from and + to path. + properties: + fromPath: + description: The path to copy contents from, defaults to the + root directory. + type: string + repository: + description: Reference to a GitRepository to include. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: The path to copy contents to, defaults to the name + of the source ref. + type: string + required: + - repository + type: object + type: array + interval: + description: The interval at which to check for repository updates. + type: string + recurseSubmodules: + description: When enabled, after the clone is created, initializes + all submodules within, using their default settings. This option + is available only when using the 'go-git' GitImplementation. + type: boolean + ref: + description: The Git reference to checkout and monitor for changes, + defaults to master branch. + properties: + branch: + description: The Git branch to checkout, defaults to master. + type: string + commit: + description: The Git commit SHA to checkout, if specified Tag + filters will be ignored. + type: string + semver: + description: The Git tag semver expression, takes precedence over + Tag. + type: string + tag: + description: The Git tag to checkout, takes precedence over Branch. + type: string + type: object + secretRef: + description: The secret name containing the Git credentials. For HTTPS + repositories the secret must contain username and password fields. + For SSH repositories the secret must contain identity and known_hosts + fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout for remote Git operations like cloning, defaults + to 60s. + type: string + url: + description: The repository URL, can be a HTTP/S or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verify OpenPGP signature for the Git commit HEAD points + to. + properties: + mode: + description: Mode describes what git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: The secret name containing the public keys of all + trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus defines the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + includedArtifacts: + description: IncludedArtifacts represents the included artifacts from + the last successful repository sync. + items: + description: Artifact represents the output of a source synchronisation. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the artifact output of the + last repository sync. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + deprecated: true + deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 + name: v1beta2 + schema: + openAPIV3Schema: + description: GitRepository is the Schema for the gitrepositories API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GitRepositorySpec specifies the required configuration to + produce an Artifact for a Git repository. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + gitImplementation: + default: go-git + description: 'GitImplementation specifies which Git client library + implementation to use. Defaults to ''go-git'', valid values are + (''go-git'', ''libgit2''). Deprecated: gitImplementation is deprecated + now that ''go-git'' is the only supported implementation.' + enum: + - go-git + - libgit2 + type: string + ignore: + description: Ignore overrides the set of excluded patterns in the + .sourceignore format (which is the same as .gitignore). If not provided, + a default will be used, consult the documentation for your version + to find out what those are. + type: string + include: + description: Include specifies a list of GitRepository resources which + Artifacts should be included in the Artifact produced for this GitRepository. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + interval: + description: Interval at which to check the GitRepository for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + recurseSubmodules: + description: RecurseSubmodules enables the initialization of all submodules + within the GitRepository as cloned from the URL, using their default + settings. + type: boolean + ref: + description: Reference specifies the Git reference to resolve and + monitor for changes, defaults to the 'master' branch. + properties: + branch: + description: Branch to check out, defaults to 'master' if no other + field is defined. + type: string + commit: + description: "Commit SHA to check out, takes precedence over all + reference fields. \n This can be combined with Branch to shallow + clone the branch, in which the commit is expected to exist." + type: string + name: + description: "Name of the reference to check out; takes precedence + over Branch, Tag and SemVer. \n It must be a valid Git reference: + https://git-scm.com/docs/git-check-ref-format#_description Examples: + \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", + \"refs/merge-requests/1/head\"" + type: string + semver: + description: SemVer tag expression to check out, takes precedence + over Tag. + type: string + tag: + description: Tag to check out, takes precedence over Branch. + type: string + type: object + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the GitRepository. For HTTPS repositories the Secret + must contain 'username' and 'password' fields for basic auth or + 'bearerToken' field for token auth. For SSH repositories the Secret + must contain 'identity' and 'known_hosts' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this GitRepository. + type: boolean + timeout: + default: 60s + description: Timeout for Git operations like cloning, defaults to + 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + url: + description: URL specifies the Git repository URL, it can be an HTTP/S + or SSH address. + pattern: ^(http|https|ssh)://.*$ + type: string + verify: + description: Verification specifies the configuration to verify the + Git commit signature(s). + properties: + mode: + description: Mode specifies what Git object should be verified, + currently ('head'). + enum: + - head + type: string + secretRef: + description: SecretRef specifies the Secret containing the public + keys of trusted Git authors. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + required: + - mode + - secretRef + type: object + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: GitRepositoryStatus records the observed state of a Git repository. + properties: + artifact: + description: Artifact represents the last successful GitRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the GitRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + contentConfigChecksum: + description: "ContentConfigChecksum is a checksum of all the configurations + related to the content of the source artifact: - .spec.ignore - + .spec.recurseSubmodules - .spec.included and the checksum of the + included artifacts observed in .status.observedGeneration version + of the object. This can be used to determine if the content of the + included repository has changed. It has the format of `:`, + for example: `sha256:`. \n Deprecated: Replaced with explicit + fields for observed artifact content config in the status." + type: string + includedArtifacts: + description: IncludedArtifacts contains a list of the last successfully + included Artifacts as instructed by GitRepositorySpec.Include. + items: + description: Artifact represents the output of a Source reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of + ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI + annotations. + type: object + path: + description: Path is the relative file path of the Artifact. + It can be used to locate the file in the root of the Artifact + storage on the local file system of the controller managing + the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the GitRepository object. + format: int64 + type: integer + observedIgnore: + description: ObservedIgnore is the observed exclusion patterns used + for constructing the source artifact. + type: string + observedInclude: + description: ObservedInclude is the observed list of GitRepository + resources used to to produce the current Artifact. + items: + description: GitRepositoryInclude specifies a local reference to + a GitRepository which Artifact (sub-)contents must be included, + and where they should be placed. + properties: + fromPath: + description: FromPath specifies the path to copy contents from, + defaults to the root of the Artifact. + type: string + repository: + description: GitRepositoryRef specifies the GitRepository which + Artifact contents must be included. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + toPath: + description: ToPath specifies the path to copy contents to, + defaults to the name of the GitRepositoryRef. + type: string + required: + - repository + type: object + type: array + observedRecurseSubmodules: + description: ObservedRecurseSubmodules is the observed resource submodules + configuration used to produce the current Artifact. + type: boolean + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise GitRepositoryStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: helmrepositories.source.toolkit.fluxcd.io +spec: + group: source.toolkit.fluxcd.io + names: + kind: HelmRepository + listKind: HelmRepositoryList + plural: helmrepositories + shortNames: + - helmrepo + singular: helmrepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmRepositorySpec defines the reference to a Helm repository. + properties: + accessFrom: + description: AccessFrom defines an Access Control List for allowing + cross-namespace references to this object. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + interval: + description: The interval at which to check the upstream for updates. + type: string + passCredentials: + description: PassCredentials allows the credentials from the SecretRef + to be passed on to a host that does not match the host as defined + in URL. This may be required if the host of the advertised chart + URLs in the index differ from the defined URL. Enabling this should + be done with caution, as it can potentially result in credentials + getting stolen in a MITM-attack. + type: boolean + secretRef: + description: The name of the secret containing authentication credentials + for the Helm repository. For HTTP/S basic auth the secret must contain + username and password fields. For TLS the secret must contain a + certFile and keyFile, and/or caFile fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: This flag tells the controller to suspend the reconciliation + of this source. + type: boolean + timeout: + default: 60s + description: The timeout of index downloading, defaults to 60s. + type: string + url: + description: The Helm repository URL, a valid URL contains at least + a protocol and host. + type: string + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus defines the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the output of the last successful + repository sync. + properties: + checksum: + description: Checksum is the SHA256 checksum of the artifact. + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of this artifact. + format: date-time + type: string + path: + description: Path is the relative file path of this artifact. + type: string + revision: + description: Revision is a human readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm index timestamp, a Helm chart version, etc. + type: string + url: + description: URL is the HTTP address of this artifact. + type: string + required: + - path + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + url: + description: URL is the download link for the last index fetched. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.url + name: URL + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: HelmRepository is the Schema for the helmrepositories API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HelmRepositorySpec specifies the required configuration to + produce an Artifact for a Helm repository index YAML. + properties: + accessFrom: + description: 'AccessFrom specifies an Access Control List for allowing + cross-namespace references to this object. NOTE: Not implemented, + provisional as of https://github.com/fluxcd/flux2/pull/2092' + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + interval: + description: Interval at which to check the URL for updates. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + passCredentials: + description: PassCredentials allows the credentials from the SecretRef + to be passed on to a host that does not match the host as defined + in URL. This may be required if the host of the advertised chart + URLs in the index differ from the defined URL. Enabling this should + be done with caution, as it can potentially result in credentials + getting stolen in a MITM-attack. + type: boolean + provider: + default: generic + description: Provider used for authentication, can be 'aws', 'azure', + 'gcp' or 'generic'. This field is optional, and only taken into + account if the .spec.type field is set to 'oci'. When not specified, + defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: SecretRef specifies the Secret containing authentication + credentials for the HelmRepository. For HTTP/S basic auth the secret + must contain 'username' and 'password' fields. For TLS the secret + must contain a 'certFile' and 'keyFile', and/or 'caFile' fields. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + suspend: + description: Suspend tells the controller to suspend the reconciliation + of this HelmRepository. + type: boolean + timeout: + default: 60s + description: Timeout is used for the index fetch operation for an + HTTPS helm repository, and for remote OCI Repository operations + like pulling for an OCI helm repository. Its default value is 60s. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: + description: Type of the HelmRepository. When this field is set to "oci", + the URL field value must be prefixed with "oci://". + enum: + - default + - oci + type: string + url: + description: URL of the Helm repository, a valid URL contains at least + a protocol and host. + type: string + required: + - interval + - url + type: object + status: + default: + observedGeneration: -1 + description: HelmRepositoryStatus records the observed state of the HelmRepository. + properties: + artifact: + description: Artifact represents the last successful HelmRepository + reconciliation. + properties: + digest: + description: Digest is the digest of the file in the form of ':'. + pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ + type: string + lastUpdateTime: + description: LastUpdateTime is the timestamp corresponding to + the last update of the Artifact. + format: date-time + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds upstream information such as OCI annotations. + type: object + path: + description: Path is the relative file path of the Artifact. It + can be used to locate the file in the root of the Artifact storage + on the local file system of the controller managing the Source. + type: string + revision: + description: Revision is a human-readable identifier traceable + in the origin source system. It can be a Git commit SHA, Git + tag, a Helm chart version, etc. + type: string + size: + description: Size is the number of bytes in the file. + format: int64 + type: integer + url: + description: URL is the HTTP address of the Artifact as exposed + by the controller managing the Source. It can be used to retrieve + the Artifact for consumption, e.g. by another controller applying + the Artifact contents. + type: string + required: + - lastUpdateTime + - path + - revision + - url + type: object + conditions: + description: Conditions holds the conditions for the HelmRepository. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation of + the HelmRepository object. + format: int64 + type: integer + url: + description: URL is the dynamic fetch link for the latest Artifact. + It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact + data is recommended. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: imagerepositories.image.toolkit.fluxcd.io +spec: + group: image.toolkit.fluxcd.io + names: + kind: ImageRepository + listKind: ImageRepositoryList + plural: imagerepositories + singular: imagerepository + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastScanResult.scanTime + name: Last scan + type: string + - jsonPath: .status.lastScanResult.tagCount + name: Tags + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: ImageRepository is the Schema for the imagerepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ImageRepositorySpec defines the parameters for scanning an + image repository, e.g., `fluxcd/flux`. + properties: + accessFrom: + description: AccessFrom defines an ACL for allowing cross-namespace + references to the ImageRepository object based on the caller's namespace + labels. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: "CertSecretRef can be given the name of a secret containing + either or both of \n - a PEM-encoded client certificate (`certFile`) + and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) + \n and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are authenticating + with a certificate; the CA cert is useful if you are using a self-signed + server certificate." + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + exclusionList: + description: ExclusionList is a list of regex strings used to exclude + certain tags from being stored in the database. + items: + type: string + type: array + image: + description: Image is the name of the image repository + type: string + interval: + description: Interval is the length of time to wait between scans + of the image repository. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + secretRef: + description: SecretRef can be given the name of a secret containing + credentials to use for the image registry. The secret should be + created with `kubectl create secret docker-registry`, or the equivalent. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: ServiceAccountName is the name of the Kubernetes ServiceAccount + used to authenticate the image pull if the service account has attached + pull secrets. + maxLength: 253 + type: string + suspend: + description: This flag tells the controller to suspend subsequent + image scans. It does not apply to already started scans. Defaults + to false. + type: boolean + timeout: + description: Timeout for image scanning. Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: object + status: + default: + observedGeneration: -1 + description: ImageRepositoryStatus defines the observed state of ImageRepository + properties: + canonicalImageName: + description: CanonicalName is the name of the image repository with + all the implied bits made explicit; e.g., `docker.io/library/alpine` + rather than `alpine`. + type: string + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + lastScanResult: + description: LastScanResult contains the number of fetched tags. + properties: + scanTime: + format: date-time + type: string + tagCount: + type: integer + required: + - tagCount + type: object + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.lastScanResult.scanTime + name: Last scan + type: string + - jsonPath: .status.lastScanResult.tagCount + name: Tags + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: ImageRepository is the Schema for the imagerepositories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ImageRepositorySpec defines the parameters for scanning an + image repository, e.g., `fluxcd/flux`. + properties: + accessFrom: + description: AccessFrom defines an ACL for allowing cross-namespace + references to the ImageRepository object based on the caller's namespace + labels. + properties: + namespaceSelectors: + description: NamespaceSelectors is the list of namespace selectors + to which this ACL applies. Items in this list are evaluated + using a logical OR operation. + items: + description: NamespaceSelector selects the namespaces to which + this ACL applies. An empty map of MatchLabels matches all + namespaces in a cluster. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + required: + - namespaceSelectors + type: object + certSecretRef: + description: "CertSecretRef can be given the name of a secret containing + either or both of \n - a PEM-encoded client certificate (`certFile`) + and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) + \n and whichever are supplied, will be used for connecting to the + registry. The client cert and key are useful if you are authenticating + with a certificate; the CA cert is useful if you are using a self-signed + server certificate." + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + exclusionList: + default: + - ^.*\.sig$ + description: ExclusionList is a list of regex strings used to exclude + certain tags from being stored in the database. + items: + type: string + maxItems: 25 + type: array + image: + description: Image is the name of the image repository + type: string + interval: + description: Interval is the length of time to wait between scans + of the image repository. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + provider: + default: generic + description: The provider used for authentication, can be 'aws', 'azure', + 'gcp' or 'generic'. When not specified, defaults to 'generic'. + enum: + - generic + - aws + - azure + - gcp + type: string + secretRef: + description: SecretRef can be given the name of a secret containing + credentials to use for the image registry. The secret should be + created with `kubectl create secret docker-registry`, or the equivalent. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + serviceAccountName: + description: ServiceAccountName is the name of the Kubernetes ServiceAccount + used to authenticate the image pull if the service account has attached + pull secrets. + maxLength: 253 + type: string + suspend: + description: This flag tells the controller to suspend subsequent + image scans. It does not apply to already started scans. Defaults + to false. + type: boolean + timeout: + description: Timeout for image scanning. Defaults to 'Interval' duration. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ + type: string + type: object + status: + default: + observedGeneration: -1 + description: ImageRepositoryStatus defines the observed state of ImageRepository + properties: + canonicalImageName: + description: CanonicalName is the name of the image repository with + all the implied bits made explicit; e.g., `docker.io/library/alpine` + rather than `alpine`. + type: string + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value can + be detected. + type: string + lastScanResult: + description: LastScanResult contains the number of fetched tags. + properties: + latestTags: + items: + type: string + type: array + scanTime: + format: date-time + type: string + tagCount: + type: integer + required: + - tagCount + type: object + observedExclusionList: + description: ObservedExclusionList is a list of observed exclusion + list. It reflects the exclusion rules used for the observed scan + result in spec.lastScanResult. + items: + type: string + type: array + observedGeneration: + description: ObservedGeneration is the last reconciled generation. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/CRDs/istio-resources.yaml b/CRDs/istio-resources.yaml new file mode 100644 index 000000000..dd26a239b --- /dev/null +++ b/CRDs/istio-resources.yaml @@ -0,0 +1,4940 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of + Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + type: integer + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + minimumRingSize: {} + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + type: integer + type: object + minimumRingSize: + description: Deprecated. + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmupDurationSecs: + description: Represents the warmup duration of Service. + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + tunnel: + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + type: integer + type: object + type: object + workloadSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + type: integer + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/CRDs/kasten-policy.yaml b/CRDs/kasten-policy.yaml new file mode 100644 index 000000000..8d66ccb90 --- /dev/null +++ b/CRDs/kasten-policy.yaml @@ -0,0 +1,70 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + generation: 1 + name: policies.config.kio.kasten.io +spec: + conversion: + strategy: None + group: config.kio.kasten.io + names: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.validation + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the policies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: PolicyStatus defines the observed state of Policy + properties: + error: + description: List of errors with the policy (for example, due to validation + failures) + items: + type: string + type: array + hash: + description: Hash of Spec + format: int32 + type: integer + specModifiedTime: + description: Timestamp when spec last changed + format: date-time + type: string + validation: + description: Validation status + type: string + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/CRDs/kubevirt-vm.yaml b/CRDs/kubevirt-vm.yaml new file mode 100644 index 000000000..f6843bdde --- /dev/null +++ b/CRDs/kubevirt-vm.yaml @@ -0,0 +1,15005 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + kubevirt.io/generation: "2" + kubevirt.io/install-strategy-identifier: f284f9b3b6574d03341121bb215a2c8d64d8e290 + kubevirt.io/install-strategy-registry: quay.io/kubevirt + kubevirt.io/install-strategy-version: v0.59.1 + generation: 1 + labels: + app.kubernetes.io/component: kubevirt + app.kubernetes.io/managed-by: virt-operator + kubevirt.io: "" + name: virtualmachineinstances.kubevirt.io +spec: + conversion: + strategy: None + group: kubevirt.io + names: + categories: + - all + kind: VirtualMachineInstance + listKind: VirtualMachineInstanceList + plural: virtualmachineinstances + shortNames: + - vmi + - vmis + singular: virtualmachineinstance + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.interfaces[0].ipAddress + name: IP + type: string + - jsonPath: .status.nodeName + name: NodeName + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=='LiveMigratable')].status + name: Live-Migratable + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=='Paused')].status + name: Paused + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: VirtualMachineInstance is *the* VirtualMachineInstance Definition. + It represents a virtual machine in the runtime environment of kubernetes. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualMachineInstance Spec contains the VirtualMachineInstance + specification. + properties: + accessCredentials: + description: Specifies a set of public keys to inject into the vm + guest + items: + description: AccessCredential represents a credential source that + can be used to authorize remote access to the vm guest Only one + of its members may be specified. + properties: + sshPublicKey: + description: SSHPublicKey represents the source and method of + applying a ssh public key into a guest virtual machine. + properties: + propagationMethod: + description: PropagationMethod represents how the public + key is injected into the vm guest. + properties: + configDrive: + description: ConfigDrivePropagation means that the ssh + public keys are injected into the VM using metadata + using the configDrive cloud-init provider + type: object + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means ssh public keys are dynamically injected into + the vm at runtime via the qemu guest agent. This feature + requires the qemu guest agent to be running within + the guest. + properties: + users: + description: Users represents a list of guest users + that should have the ssh public keys added to + their authorized_keys file. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - users + type: object + type: object + source: + description: Source represents where the public keys are + pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name of the + secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + userPassword: + description: UserPassword represents the source and method for + applying a guest user's password + properties: + propagationMethod: + description: propagationMethod represents how the user passwords + are injected into the vm guest. + properties: + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means passwords are dynamically injected into the + vm at runtime via the qemu guest agent. This feature + requires the qemu guest agent to be running within + the guest. + type: object + type: object + source: + description: Source represents where the user passwords + are pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name of the + secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + type: object + type: array + x-kubernetes-list-type: atomic + affinity: + description: If affinity is specifies, obey all the affinity rules + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters specified + here will be merged to the generated DNS configuration based on + DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This will + be appended to the base nameservers generated from DNSPolicy. + Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will be merged + with the base options generated from DNSPolicy. Duplicated entries + will be removed. Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver options + of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name lookup. + This will be appended to the base search paths generated from + DNSPolicy. Duplicated search paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' + or 'None'. DNS parameters given in DNSConfig will be merged with + the policy selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + domain: + description: Specification of the desired behavior of the VirtualMachineInstance + on the host. + properties: + chassis: + description: Chassis specifies the chassis info passed to the + domain. + properties: + asset: + type: string + manufacturer: + type: string + serial: + type: string + sku: + type: string + version: + type: string + type: object + clock: + description: Clock sets the clock and timers of the vmi. + properties: + timer: + description: Timer specifies whih timers are attached to the + vmi. + properties: + hpet: + description: HPET (High Precision Event Timer) - multiple + timers with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens when + QEMU misses a deadline for injecting a tick to the + guest. One of "delay", "catchup", "merge", "discard". + type: string + type: object + hyperv: + description: Hyperv (Hypervclock) - lets guests read the + host’s wall clock time (paravirtualized). For windows + guests. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + type: object + kvm: + description: "KVM \t(KVM clock) - lets guests read the + host’s wall clock time (paravirtualized). For linux + guests." + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + type: object + pit: + description: PIT (Programmable Interval Timer) - a timer + with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens when + QEMU misses a deadline for injecting a tick to the + guest. One of "delay", "catchup", "discard". + type: string + type: object + rtc: + description: RTC (Real Time Clock) - a continuously running + timer with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens when + QEMU misses a deadline for injecting a tick to the + guest. One of "delay", "catchup". + type: string + track: + description: Track the guest or the wall clock. + type: string + type: object + type: object + timezone: + description: Timezone sets the guest clock to the specified + timezone. Zone name follows the TZ environment variable + format (e.g. 'America/New_York'). + type: string + utc: + description: UTC sets the guest clock to UTC on each boot. + If an offset is specified, guest changes to the clock will + be kept during reboots and are not reset. + properties: + offsetSeconds: + description: OffsetSeconds specifies an offset in seconds, + relative to UTC. If set, guest changes to the clock + will be kept during reboots and not reset. + type: integer + type: object + type: object + cpu: + description: CPU allow specified the detailed CPU topology inside + the vmi. + properties: + cores: + description: Cores specifies the number of cores inside the + vmi. Must be a value greater or equal 1. + format: int32 + type: integer + dedicatedCpuPlacement: + description: DedicatedCPUPlacement requests the scheduler + to place the VirtualMachineInstance on a node with enough + dedicated pCPUs and pin the vCPUs to it. + type: boolean + features: + description: Features specifies the CPU features list inside + the VMI. + items: + description: CPUFeature allows specifying a CPU feature. + properties: + name: + description: Name of the CPU feature + type: string + policy: + description: 'Policy is the CPU feature attribute which + can have the following attributes: force - The + virtual CPU will claim the feature is supported regardless + of it being supported by host CPU. require - Guest + creation will fail unless the feature is supported + by the host CPU or the hypervisor is able to emulate + it. optional - The feature will be supported by virtual + CPU if and only if it is supported by host CPU. disable - + The feature will not be supported by virtual CPU. + forbid - Guest creation will fail if the feature + is supported by host CPU. Defaults to require' + type: string + required: + - name + type: object + type: array + isolateEmulatorThread: + description: IsolateEmulatorThread requests one more dedicated + pCPU to be allocated for the VMI to place the emulator thread + on it. + type: boolean + model: + description: Model specifies the CPU model inside the VMI. + List of available models https://github.com/libvirt/libvirt/tree/master/src/cpu_map. + It is possible to specify special cases like "host-passthrough" + to get the same CPU as the node and "host-model" to get + CPU closest to the node one. Defaults to host-model. + type: string + numa: + description: NUMA allows specifying settings for the guest + NUMA topology + properties: + guestMappingPassthrough: + description: GuestMappingPassthrough will create an efficient + guest topology based on host CPUs exclusively assigned + to a pod. The created topology ensures that memory and + CPUs on the virtual numa nodes never cross boundaries + of host numa nodes. + type: object + type: object + realtime: + description: Realtime instructs the virt-launcher to tune + the VMI for lower latency, optional for real time workloads + properties: + mask: + description: 'Mask defines the vcpu mask expression that + defines which vcpus are used for realtime. Format matches + libvirt''s expressions. Example: "0-3,^1","0,2,3","2-3"' + type: string + type: object + sockets: + description: Sockets specifies the number of sockets inside + the vmi. Must be a value greater or equal 1. + format: int32 + type: integer + threads: + description: Threads specifies the number of threads inside + the vmi. Must be a value greater or equal 1. + format: int32 + type: integer + type: object + devices: + description: Devices allows adding disks, network interfaces, + and others + properties: + autoattachGraphicsDevice: + description: Whether to attach the default graphics device + or not. VNC will not be available if set to false. Defaults + to true. + type: boolean + autoattachInputDevice: + description: Whether to attach an Input Device. Defaults to + false. + type: boolean + autoattachMemBalloon: + description: Whether to attach the Memory balloon device with + default period. Period can be adjusted in virt-config. Defaults + to true. + type: boolean + autoattachPodInterface: + description: Whether to attach a pod network interface. Defaults + to true. + type: boolean + autoattachSerialConsole: + description: Whether to attach the default serial console + or not. Serial console access will not be available if set + to false. Defaults to true. + type: boolean + autoattachVSOCK: + description: Whether to attach the VSOCK CID to the VM or + not. VSOCK access will be available if set to true. Defaults + to false. + type: boolean + blockMultiQueue: + description: Whether or not to enable virtio multi-queue for + block devices. Defaults to false. + type: boolean + clientPassthrough: + description: To configure and access client devices such as + redirecting USB + type: object + disableHotplug: + description: DisableHotplug disabled the ability to hotplug + disks. + type: boolean + disks: + description: Disks describes disks, cdroms and luns which + are connected to the vmi. + items: + properties: + blockSize: + description: If specified, the virtual disk will be + presented with the given block sizes. + properties: + custom: + description: CustomBlockSize represents the desired + logical and physical block size for a VM disk. + properties: + logical: + type: integer + physical: + type: integer + required: + - logical + - physical + type: object + matchVolume: + description: Represents if a feature is enabled + or disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + bootOrder: + description: BootOrder is an integer value > 0, used + to determine ordering of boot devices. Lower values + take precedence. Each disk or interface that has a + boot order must have a unique value. Disks without + a boot order are not tried if a disk with a boot order + exists. + type: integer + cache: + description: 'Cache specifies which kvm disk cache mode + should be used. Supported values are: CacheNone, CacheWriteThrough.' + type: string + cdrom: + description: Attach a volume as a cdrom to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to true. + type: boolean + tray: + description: Tray indicates if the tray of the device + is open or closed. Allowed values are "open" and + "closed". Defaults to closed. + type: string + type: object + dedicatedIOThread: + description: dedicatedIOThread indicates this disk should + have an exclusive IO Thread. Enabling this implies + useIOThreads = true. Defaults to false. + type: boolean + disk: + description: Attach a volume as a disk to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi, + usb.' + type: string + pciAddress: + description: 'If specified, the virtual disk will + be placed on the guests pci address with the specified + PCI address. For example: 0000:81:01.10' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + io: + description: 'IO specifies which QEMU disk IO mode should + be used. Supported values are: native, default, threads.' + type: string + lun: + description: Attach a volume as a LUN to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + name: + description: Name is the device name + type: string + serial: + description: Serial provides the ability to specify + a serial number for the disk device. + type: string + shareable: + description: If specified the disk is made sharable + and multiple write from different VMs are permitted + type: boolean + tag: + description: If specified, disk address and its tag + will be provided to the guest via config drive metadata + type: string + required: + - name + type: object + type: array + filesystems: + description: Filesystems describes filesystem which is connected + to the vmi. + items: + properties: + name: + description: Name is the device name + type: string + virtiofs: + description: Virtiofs is supported + type: object + required: + - name + - virtiofs + type: object + type: array + x-kubernetes-list-type: atomic + gpus: + description: Whether to attach a GPU device to the vmi. + items: + properties: + deviceName: + type: string + name: + description: Name of the GPU device as exposed by a + device plugin + type: string + tag: + description: If specified, the virtual network interface + address and its tag will be provided to the guest + via config drive + type: string + virtualGPUOptions: + properties: + display: + properties: + enabled: + description: Enabled determines if a display + addapter backed by a vGPU should be enabled + or disabled on the guest. Defaults to true. + type: boolean + ramFB: + description: Enables a boot framebuffer, until + the guest OS loads a real GPU driver Defaults + to true. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + type: object + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + hostDevices: + description: Whether to attach a host device to the vmi. + items: + properties: + deviceName: + description: DeviceName is the resource name of the + host device exposed by a device plugin + type: string + name: + type: string + tag: + description: If specified, the virtual network interface + address and its tag will be provided to the guest + via config drive + type: string + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + inputs: + description: Inputs describe input devices + items: + properties: + bus: + description: 'Bus indicates the bus of input device + to emulate. Supported values: virtio, usb.' + type: string + name: + description: Name is the device name + type: string + type: + description: 'Type indicated the type of input device. + Supported values: tablet.' + type: string + required: + - name + - type + type: object + type: array + interfaces: + description: Interfaces describe network interfaces which + are added to the vmi. + items: + properties: + acpiIndex: + description: If specified, the ACPI index is used to + provide network interface device naming, that is stable + across changes in PCI addresses assigned to the device. + This value is required to be unique across all devices + and be between 1 and (16*1024-1). + type: integer + bootOrder: + description: BootOrder is an integer value > 0, used + to determine ordering of boot devices. Lower values + take precedence. Each interface or disk that has a + boot order must have a unique value. Interfaces without + a boot order are not tried. + type: integer + bridge: + description: InterfaceBridge connects to a given network + via a linux bridge. + type: object + dhcpOptions: + description: If specified the network interface will + pass additional DHCP options to the VMI + properties: + bootFileName: + description: If specified will pass option 67 to + interface's DHCP server + type: string + ntpServers: + description: If specified will pass the configured + NTP server to the VM via DHCP option 042. + items: + type: string + type: array + privateOptions: + description: 'If specified will pass extra DHCP + options for private use, range: 224-254' + items: + description: DHCPExtraOptions defines Extra DHCP + options for a VM. + properties: + option: + description: Option is an Integer value from + 224-254 Required. + type: integer + value: + description: Value is a String value for the + Option provided Required. + type: string + required: + - option + - value + type: object + type: array + tftpServerName: + description: If specified will pass option 66 to + interface's DHCP server + type: string + type: object + macAddress: + description: 'Interface MAC address. For example: de:ad:00:00:be:af + or DE-AD-00-00-BE-AF.' + type: string + macvtap: + description: InterfaceMacvtap connects to a given network + by extending the Kubernetes node's L2 networks via + a macvtap interface. + type: object + masquerade: + description: InterfaceMasquerade connects to a given + network using netfilter rules to nat the traffic. + type: object + model: + description: 'Interface model. One of: e1000, e1000e, + ne2k_pci, pcnet, rtl8139, virtio. Defaults to virtio. + TODO:(ihar) switch to enums once opengen-api supports + them. See: https://github.com/kubernetes/kube-openapi/issues/51' + type: string + name: + description: Logical name of the interface as well as + a reference to the associated networks. Must match + the Name of a Network. + type: string + passt: + description: InterfacePasst connects to a given network. + type: object + pciAddress: + description: 'If specified, the virtual network interface + will be placed on the guests pci address with the + specified PCI address. For example: 0000:81:01.10' + type: string + ports: + description: List of ports to be forwarded to the virtual + machine. + items: + description: Port represents a port to expose from + the virtual machine. Default protocol TCP. The port + field is mandatory + properties: + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + port: + description: Number of port to expose for the + virtual machine. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + protocol: + description: Protocol for port. Must be UDP or + TCP. Defaults to "TCP". + type: string + required: + - port + type: object + type: array + slirp: + description: InterfaceSlirp connects to a given network + using QEMU user networking mode. + type: object + sriov: + description: InterfaceSRIOV connects to a given network + by passing-through an SR-IOV PCI device via vfio. + type: object + tag: + description: If specified, the virtual network interface + address and its tag will be provided to the guest + via config drive + type: string + required: + - name + type: object + type: array + networkInterfaceMultiqueue: + description: If specified, virtual network interfaces configured + with a virtio bus will also enable the vhost multiqueue + feature for network devices. The number of queues created + depends on additional factors of the VirtualMachineInstance, + like the number of guest CPUs. + type: boolean + rng: + description: Whether to have random number generator from + host + type: object + sound: + description: Whether to emulate a sound device. + properties: + model: + description: 'We only support ich9 or ac97. If SoundDevice + is not set: No sound card is emulated. If SoundDevice + is set but Model is not: ich9' + type: string + name: + description: User's defined name for this sound device + type: string + required: + - name + type: object + tpm: + description: Whether to emulate a TPM device. + type: object + useVirtioTransitional: + description: Fall back to legacy virtio 0.9 support if virtio + bus is selected on devices. This is helpful for old machines + like CentOS6 or RHEL6 which do not understand virtio_non_transitional + (virtio 1.0). + type: boolean + watchdog: + description: Watchdog describes a watchdog device which can + be added to the vmi. + properties: + i6300esb: + description: i6300esb watchdog device. + properties: + action: + description: The action to take. Valid values are + poweroff, reset, shutdown. Defaults to reset. + type: string + type: object + name: + description: Name of the watchdog. + type: string + required: + - name + type: object + type: object + features: + description: Features like acpi, apic, hyperv, smm. + properties: + acpi: + description: ACPI enables/disables ACPI inside the guest. + Defaults to enabled. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + type: object + apic: + description: Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + endOfInterrupt: + description: EndOfInterrupt enables the end of interrupt + notification in the guest. Defaults to false. + type: boolean + type: object + hyperv: + description: Defaults to the machine type setting. + properties: + evmcs: + description: EVMCS Speeds up L2 vmexits, but disables + other virtualization features. Requires vapic. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + frequencies: + description: Frequencies improves the TSC clock source + handling for Hyper-V on KVM. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + ipi: + description: IPI improves performances in overcommited + environments. Requires vpindex. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + reenlightenment: + description: Reenlightenment enables the notifications + on TSC frequency changes. Defaults to the machine type + setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + relaxed: + description: Relaxed instructs the guest OS to disable + watchdog timeouts. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + reset: + description: Reset enables Hyperv reboot/reset for the + vmi. Requires synic. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + runtime: + description: Runtime improves the time accounting to improve + scheduling in the guest. Defaults to the machine type + setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + spinlocks: + description: Spinlocks allows to configure the spinlock + retry attempts. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + spinlocks: + description: Retries indicates the number of retries. + Must be a value greater or equal 4096. Defaults + to 4096. + format: int32 + type: integer + type: object + synic: + description: SyNIC enables the Synthetic Interrupt Controller. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + synictimer: + description: SyNICTimer enables Synthetic Interrupt Controller + Timers, reducing CPU load. Defaults to the machine type + setting. + properties: + direct: + description: Represents if a feature is enabled or + disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + enabled: + type: boolean + type: object + tlbflush: + description: TLBFlush improves performances in overcommited + environments. Requires vpindex. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + vapic: + description: VAPIC improves the paravirtualized handling + of interrupts. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + vendorid: + description: VendorID allows setting the hypervisor vendor + id. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + vendorid: + description: VendorID sets the hypervisor vendor id, + visible to the vmi. String up to twelve characters. + type: string + type: object + vpindex: + description: VPIndex enables the Virtual Processor Index + to help windows identifying virtual processors. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + type: object + kvm: + description: Configure how KVM presence is exposed to the + guest. + properties: + hidden: + description: Hide the KVM hypervisor from standard MSR + based discovery. Defaults to false + type: boolean + type: object + pvspinlock: + description: Notify the guest that the host supports paravirtual + spinlocks. For older kernels this feature should be explicitly + disabled. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + type: object + smm: + description: SMM enables/disables System Management Mode. + TSEG not yet implemented. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + type: object + type: object + firmware: + description: Firmware. + properties: + bootloader: + description: Settings to control the bootloader that is used. + properties: + bios: + description: If set (default), BIOS will be used. + properties: + useSerial: + description: If set, the BIOS output will be transmitted + over serial + type: boolean + type: object + efi: + description: If set, EFI will be used instead of BIOS. + properties: + secureBoot: + description: If set, SecureBoot will be enabled and + the OVMF roms will be swapped for SecureBoot-enabled + ones. Requires SMM to be enabled. Defaults to true + type: boolean + type: object + type: object + kernelBoot: + description: Settings to set the kernel for booting. + properties: + container: + description: Container defines the container that containes + kernel artifacts + properties: + image: + description: Image that contains initrd / kernel files. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag + is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of the Docker + registry secret required to pull the image. The + secret must already exist. + type: string + initrdPath: + description: the fully-qualified path to the ramdisk + image in the host OS + type: string + kernelPath: + description: The fully-qualified path to the kernel + image in the host OS + type: string + required: + - image + type: object + kernelArgs: + description: Arguments to be passed to the kernel at boot + time + type: string + type: object + serial: + description: The system-serial-number in SMBIOS + type: string + uuid: + description: UUID reported by the vmi bios. Defaults to a + random generated uid. + type: string + type: object + ioThreadsPolicy: + description: 'Controls whether or not disks will share IOThreads. + Omitting IOThreadsPolicy disables use of IOThreads. One of: + shared, auto' + type: string + launchSecurity: + description: Launch Security setting of the vmi. + properties: + sev: + description: AMD Secure Encrypted Virtualization (SEV). + type: object + type: object + machine: + description: Machine type. + properties: + type: + description: QEMU machine type is the actual chipset of the + VirtualMachineInstance. + type: string + type: object + memory: + description: Memory allow specifying the VMI memory features. + properties: + guest: + anyOf: + - type: integer + - type: string + description: Guest allows to specifying the amount of memory + which is visible inside the Guest OS. The Guest must lie + between Requests and Limits from the resources section. + Defaults to the requested memory in the resources section + if not specified. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + hugepages: + description: Hugepages allow to use hugepages for the VirtualMachineInstance + instead of regular memory. + properties: + pageSize: + description: PageSize specifies the hugepage size, for + x86_64 architecture valid values are 1Gi and 2Mi. + type: string + type: object + type: object + resources: + description: Resources describes the Compute Resources required + by this vmi. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Limits describes the maximum amount of compute + resources allowed. Valid resource keys are "memory" and + "cpu". + type: object + overcommitGuestOverhead: + description: Don't ask the scheduler to take the guest-management + overhead into account. Instead put the overhead only into + the container's memory limit. This can lead to crashes if + all memory is in use on a node. Defaults to false. + type: boolean + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Requests is a description of the initial vmi + resources. Valid resource keys are "memory" and "cpu". + type: object + type: object + required: + - devices + type: object + evictionStrategy: + description: EvictionStrategy can be set to "LiveMigrate" if the VirtualMachineInstance + should be migrated instead of shut-off in case of a node drain. + type: string + hostname: + description: Specifies the hostname of the vmi If not specified, the + hostname will be set to the name of the vmi, if dhcp or cloud-init + is configured properly. + type: string + livenessProbe: + description: 'Periodic probe of VirtualMachineInstance liveness. VirtualmachineInstances + will be stopped if the probe fails. Cannot be updated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. + Exec specifies the action to take, it will be executed on the + guest through the qemu-guest-agent. If the guest agent is not + available, this probe will fail. + properties: + command: + description: Command is the command line to execute inside + the container, the working directory for the command is + root ('/') in the container's filesystem. The command is + simply exec'd, it is not run inside a shell, so traditional + shell instructions ('|', etc) won't work. To use a shell, + you need to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent for + availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod + IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows + repeated headers. + items: + description: HTTPHeader describes a custom header to be + used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults + to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default + to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. Defaults to 1. Must + be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. + TCP hooks not yet supported TODO: implement a realistic TCP + lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. + For exec probes the timeout fails the probe but does not terminate + the command running on the guest. This means a blocking command + can result in an increasing load on the guest. A small buffer + will be added to the resulting workload exec probe to compensate + for delays caused by the qemu guest exec mechanism. Defaults + to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + networks: + description: List of networks that can be attached to a vm's virtual + interface. + items: + description: Network represents a network type and a resource that + should be connected to the vm. + properties: + multus: + description: Represents the multus cni network. + properties: + default: + description: Select the default network and add it to the + multus-cni.io/default-network annotation. + type: boolean + networkName: + description: 'References to a NetworkAttachmentDefinition + CRD object. Format: , /. + If namespace is not specified, VMI namespace is assumed.' + type: string + required: + - networkName + type: object + name: + description: 'Network name. Must be a DNS_LABEL and unique within + the vm. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pod: + description: Represents the stock pod network interface. + properties: + vmIPv6NetworkCIDR: + description: IPv6 CIDR for the vm network. Defaults to fd10:0:2::/120 + if not specified. + type: string + vmNetworkCIDR: + description: CIDR for vm network. Default 10.0.2.0/24 if + not specified. + type: string + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + vmi to fit on a node. Selector which must match a node''s labels + for the vmi to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, indicates the pod's priority. If not specified, + the pod priority will be default or zero if there is no default. + type: string + readinessProbe: + description: 'Periodic probe of VirtualMachineInstance service readiness. + VirtualmachineInstances will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. + Exec specifies the action to take, it will be executed on the + guest through the qemu-guest-agent. If the guest agent is not + available, this probe will fail. + properties: + command: + description: Command is the command line to execute inside + the container, the working directory for the command is + root ('/') in the container's filesystem. The command is + simply exec'd, it is not run inside a shell, so traditional + shell instructions ('|', etc) won't work. To use a shell, + you need to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent for + availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod + IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows + repeated headers. + items: + description: HTTPHeader describes a custom header to be + used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults + to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default + to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. Defaults to 1. Must + be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. + TCP hooks not yet supported TODO: implement a realistic TCP + lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. + For exec probes the timeout fails the probe but does not terminate + the command running on the guest. This means a blocking command + can result in an increasing load on the guest. A small buffer + will be added to the resulting workload exec probe to compensate + for delays caused by the qemu guest exec mechanism. Defaults + to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + schedulerName: + description: If specified, the VMI will be dispatched by specified + scheduler. If not specified, the VMI will be dispatched by default + scheduler. + type: string + startStrategy: + description: StartStrategy can be set to "Paused" if Virtual Machine + should be started in paused state. + type: string + subdomain: + description: If specified, the fully qualified vmi hostname will be + "...svc.". If + not specified, the vmi will not have a domainname at all. The DNS + entry will resolve to the vmi, no matter if the vmi itself can pick + up a hostname. + type: string + terminationGracePeriodSeconds: + description: Grace period observed after signalling a VirtualMachineInstance + to stop after which the VirtualMachineInstance is force terminated. + format: int64 + type: integer + tolerations: + description: If toleration is specified, obey all the toleration rules. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group of VMIs + will be spread across a given topology domains. K8s scheduler will + schedule VMI pods in a way which abides by the constraints. + items: + description: TopologySpreadConstraint specifies how to spread matching + pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. Pods + that match this label selector are counted to determine the + number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + maxSkew: + description: 'MaxSkew describes the degree to which pods may + be unevenly distributed. When ''whenUnsatisfiable=DoNotSchedule'', + it is the maximum permitted difference between the number + of matching pods in the target topology and the global minimum. + For example, in a 3-zone cluster, MaxSkew is set to 1, and + pods with the same labelSelector spread as 1/1/0: | zone1 + | zone2 | zone3 | | P | P | | - if MaxSkew is + 1, incoming pod can only be scheduled to zone3 to become 1/1/1; + scheduling it onto zone1(zone2) would make the ActualSkew(2-0) + on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming + pod can be scheduled onto any zone. When ''whenUnsatisfiable=ScheduleAnyway'', + it is used to give higher precedence to topologies that satisfy + it. It''s a required field. Default value is 1 and 0 is not + allowed.' + format: int32 + type: integer + topologyKey: + description: TopologyKey is the key of node labels. Nodes that + have a label with this key and identical values are considered + to be in the same topology. We consider each + as a "bucket", and try to put balanced number of pods into + each bucket. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with a + pod if it doesn''t satisfy the spread constraint. - DoNotSchedule + (default) tells the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any location, but + giving higher precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" for + an incoming pod if and only if every possible node assignment + for that pod would violate "MaxSkew" on some topology. For + example, in a 3-zone cluster, MaxSkew is set to 1, and pods + with the same labelSelector spread as 3/1/1: | zone1 | zone2 + | zone3 | | P P P | P | P | If WhenUnsatisfiable is + set to DoNotSchedule, incoming pod can only be scheduled to + zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on + zone2(zone3) satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make it *more* + imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: List of volumes that can be mounted by disks belonging + to the vmi. + items: + description: Volume represents a named volume in a vmi. + properties: + cloudInitConfigDrive: + description: 'CloudInitConfigDrive represents a cloud-init Config + Drive user-data source. The Config Drive data will be added + as a disk to the vmi. A proper cloud-init installation is + required inside the guest. More info: https://cloudinit.readthedocs.io/en/latest/topics/datasources/configdrive.html' + properties: + networkData: + description: NetworkData contains config drive inline cloud-init + networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains config drive cloud-init + networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s secret + that contains config drive networkdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s secret that + contains config drive userdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + userData: + description: UserData contains config drive inline cloud-init + userdata. + type: string + userDataBase64: + description: UserDataBase64 contains config drive cloud-init + userdata as a base64 encoded string. + type: string + type: object + cloudInitNoCloud: + description: 'CloudInitNoCloud represents a cloud-init NoCloud + user-data source. The NoCloud data will be added as a disk + to the vmi. A proper cloud-init installation is required inside + the guest. More info: http://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html' + properties: + networkData: + description: NetworkData contains NoCloud inline cloud-init + networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains NoCloud cloud-init + networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s secret + that contains NoCloud networkdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s secret that + contains NoCloud userdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + userData: + description: UserData contains NoCloud inline cloud-init + userdata. + type: string + userDataBase64: + description: UserDataBase64 contains NoCloud cloud-init + userdata as a base64 encoded string. + type: string + type: object + configMap: + description: 'ConfigMapSource represents a reference to a ConfigMap + in the same namespace. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or it's keys + must be defined + type: boolean + volumeLabel: + description: The volume label of the resulting disk inside + the VMI. Different bootstrapping mechanisms require different + values. Typical values are "cidata" (cloud-init), "config-2" + (cloud-init) or "OEMDRV" (kickstart). + type: string + type: object + containerDisk: + description: 'ContainerDisk references a docker image, embedding + a qcow or raw disk. More info: https://kubevirt.gitbooks.io/user-guide/registry-disk.html' + properties: + image: + description: Image is the name of the image with the embedded + disk. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of the Docker registry + secret required to pull the image. The secret must already + exist. + type: string + path: + description: Path defines the path to disk file in the container + type: string + required: + - image + type: object + dataVolume: + description: DataVolume represents the dynamic creation a PVC + for this volume as well as the process of populating that + PVC with a disk image. + properties: + hotpluggable: + description: Hotpluggable indicates whether the volume can + be hotplugged and hotunplugged. + type: boolean + name: + description: Name of both the DataVolume and the PVC in + the same namespace. After PVC population the DataVolume + is garbage collected by default. + type: string + required: + - name + type: object + downwardAPI: + description: DownwardAPI represents downward API about the pod + that should populate this volume + properties: + fields: + description: Fields is a list of downward API volume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the pod: + only annotations, labels, name and namespace are + supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + mode: + description: 'Optional: mode bits used to set permissions + on this file, must be an octal value between 0000 + and 0777 or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This might + be in conflict with other options that affect the + file mode, like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative path + name of the file to be created. Must not be absolute + or contain the ''..'' path. Must be utf-8 encoded. + The first item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + volumeLabel: + description: The volume label of the resulting disk inside + the VMI. Different bootstrapping mechanisms require different + values. Typical values are "cidata" (cloud-init), "config-2" + (cloud-init) or "OEMDRV" (kickstart). + type: string + type: object + downwardMetrics: + description: DownwardMetrics adds a very small disk to VMIs + which contains a limited view of host and guest metrics. The + disk content is compatible with vhostmd (https://github.com/vhostmd/vhostmd) + and vm-dump-metrics. + type: object + emptyDisk: + description: 'EmptyDisk represents a temporary disk which shares + the vmis lifecycle. More info: https://kubevirt.gitbooks.io/user-guide/disks-and-volumes.html' + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - capacity + type: object + ephemeral: + description: Ephemeral is a special volume source that "wraps" + specified source and provides copy-on-write image on top of + it. + properties: + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same namespace. + Directly attached to the vmi via qemu. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + type: object + hostDisk: + description: HostDisk represents a disk created on the cluster + level + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + path: + description: The path to HostDisk image located on the cluster + type: string + shared: + description: Shared indicate whether the path is shared + between nodes + type: boolean + type: + description: Contains information if disk.img exists or + should be created allowed options are 'Disk' and 'DiskOrCreate' + type: string + required: + - path + - type + type: object + memoryDump: + description: MemoryDump is attached to the virt launcher and + is populated with a memory dump of the vmi + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the volume can + be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + name: + description: 'Volume''s name. Must be a DNS_LABEL and unique + within the vmi. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents a + reference to a PersistentVolumeClaim in the same namespace. + Directly attached to the vmi via qemu. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the volume can + be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + secret: + description: 'SecretVolumeSource represents a reference to a + secret data in the same namespace. More info: https://kubernetes.io/docs/concepts/configuration/secret/' + properties: + optional: + description: Specify whether the Secret or it's keys must + be defined + type: boolean + secretName: + description: 'Name of the secret in the pod''s namespace + to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + volumeLabel: + description: The volume label of the resulting disk inside + the VMI. Different bootstrapping mechanisms require different + values. Typical values are "cidata" (cloud-init), "config-2" + (cloud-init) or "OEMDRV" (kickstart). + type: string + type: object + serviceAccount: + description: 'ServiceAccountVolumeSource represents a reference + to a service account. There can only be one volume of this + type! More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + properties: + serviceAccountName: + description: 'Name of the service account in the pod''s + namespace to use. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + type: object + sysprep: + description: Represents a Sysprep volume source. + properties: + configMap: + description: ConfigMap references a ConfigMap that contains + Sysprep answer file named autounattend.xml that should + be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + secret: + description: Secret references a k8s Secret that contains + Sysprep answer file named autounattend.xml that should + be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: object + required: + - name + type: object + type: array + required: + - domain + type: object + status: + description: Status is the high level overview of how the VirtualMachineInstance + is doing. It contains information available to controllers and users. + properties: + VSOCKCID: + description: VSOCKCID is used to track the allocated VSOCK CID in + the VM. + format: int32 + type: integer + activePods: + additionalProperties: + type: string + description: ActivePods is a mapping of pod UID to node name. It is + possible for multiple pods to be running for a single VMI during + migration. + type: object + conditions: + description: Conditions are specific points in VirtualMachineInstance's + pod runtime. + items: + properties: + lastProbeTime: + format: date-time + nullable: true + type: string + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + evacuationNodeName: + description: EvacuationNodeName is used to track the eviction process + of a VMI. It stores the name of the node that we want to evacuate. + It is meant to be used by KubeVirt core components only and can't + be set or modified by users. + type: string + fsFreezeStatus: + description: FSFreezeStatus is the state of the fs of the guest it + can be either frozen or thawed + type: string + guestOSInfo: + description: Guest OS Information + properties: + id: + description: Guest OS Id + type: string + kernelRelease: + description: Guest OS Kernel Release + type: string + kernelVersion: + description: Kernel version of the Guest OS + type: string + machine: + description: Machine type of the Guest OS + type: string + name: + description: Name of the Guest OS + type: string + prettyName: + description: Guest OS Pretty Name + type: string + version: + description: Guest OS Version + type: string + versionId: + description: Version ID of the Guest OS + type: string + type: object + interfaces: + description: Interfaces represent the details of available network + interfaces. + items: + properties: + infoSource: + description: 'Specifies the origin of the interface data collected. + values: domain, guest-agent, or both' + type: string + interfaceName: + description: The interface name inside the Virtual Machine + type: string + ipAddress: + description: IP address of a Virtual Machine interface. It is + always the first item of IPs + type: string + ipAddresses: + description: List of all IP addresses of a Virtual Machine interface + items: + type: string + type: array + mac: + description: Hardware address of a Virtual Machine interface + type: string + name: + description: Name of the interface, corresponds to name of the + network assigned to the interface + type: string + queueCount: + description: Specifies how many queues are allocated by MultiQueue + format: int32 + type: integer + type: object + type: array + launcherContainerImageVersion: + description: LauncherContainerImageVersion indicates what container + image is currently active for the vmi. + type: string + migrationMethod: + description: 'Represents the method using which the vmi can be migrated: + live migration or block migration' + type: string + migrationState: + description: Represents the status of a live migration + properties: + abortRequested: + description: Indicates that the migration has been requested to + abort + type: boolean + abortStatus: + description: Indicates the final status of the live migration + abortion + type: string + completed: + description: Indicates the migration completed + type: boolean + endTimestamp: + description: The time the migration action ended + format: date-time + nullable: true + type: string + failed: + description: Indicates that the migration failed + type: boolean + migrationConfiguration: + description: Migration configurations to apply + properties: + allowAutoConverge: + description: AllowAutoConverge allows the platform to compromise + performance/availability of VMIs to guarantee successful + VMI live migrations. Defaults to false + type: boolean + allowPostCopy: + description: AllowPostCopy enables post-copy live migrations. + Such migrations allow even the busiest VMIs to successfully + live-migrate. However, events like a network failure can + cause a VMI crash. If set to true, migrations will still + start in pre-copy, but switch to post-copy when CompletionTimeoutPerGiB + triggers. Defaults to false + type: boolean + bandwidthPerMigration: + anyOf: + - type: integer + - type: string + description: BandwidthPerMigration limits the amount of network + bandwith live migrations are allowed to use. The value is + in quantity per second. Defaults to 0 (no limit) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + completionTimeoutPerGiB: + description: CompletionTimeoutPerGiB is the maximum number + of seconds per GiB a migration is allowed to take. If a + live-migration takes longer to migrate than this value multiplied + by the size of the VMI, the migration will be cancelled, + unless AllowPostCopy is true. Defaults to 800 + format: int64 + type: integer + disableTLS: + description: When set to true, DisableTLS will disable the + additional layer of live migration encryption provided by + KubeVirt. This is usually a bad idea. Defaults to false + type: boolean + network: + description: Network is the name of the CNI network to use + for live migrations. By default, migrations go through the + pod network. + type: string + nodeDrainTaintKey: + description: 'NodeDrainTaintKey defines the taint key that + indicates a node should be drained. Note: this option relies + on the deprecated node taint feature. Default: kubevirt.io/drain' + type: string + parallelMigrationsPerCluster: + description: ParallelMigrationsPerCluster is the total number + of concurrent live migrations allowed cluster-wide. Defaults + to 5 + format: int32 + type: integer + parallelOutboundMigrationsPerNode: + description: ParallelOutboundMigrationsPerNode is the maximum + number of concurrent outgoing live migrations allowed per + node. Defaults to 2 + format: int32 + type: integer + progressTimeout: + description: ProgressTimeout is the maximum number of seconds + a live migration is allowed to make no progress. Hitting + this timeout means a migration transferred 0 data for that + many seconds. The migration is then considered stuck and + therefore cancelled. Defaults to 150 + format: int64 + type: integer + unsafeMigrationOverride: + description: UnsafeMigrationOverride allows live migrations + to occur even if the compatibility check indicates the migration + will be unsafe to the guest. Defaults to false + type: boolean + type: object + migrationPolicyName: + description: Name of the migration policy. If string is empty, + no policy is matched + type: string + migrationUid: + description: The VirtualMachineInstanceMigration object associated + with this migration + type: string + mode: + description: Lets us know if the vmi is currently running pre + or post copy migration + type: string + sourceNode: + description: The source node that the VMI originated on + type: string + startTimestamp: + description: The time the migration action began + format: date-time + nullable: true + type: string + targetAttachmentPodUID: + description: The UID of the target attachment pod for hotplug + volumes + type: string + targetCPUSet: + description: If the VMI requires dedicated CPUs, this field will + hold the dedicated CPU set on the target node + items: + type: integer + type: array + x-kubernetes-list-type: atomic + targetDirectMigrationNodePorts: + additionalProperties: + type: integer + description: The list of ports opened for live migration on the + destination node + type: object + targetNode: + description: The target node that the VMI is moving to + type: string + targetNodeAddress: + description: The address of the target node to use for the migration + type: string + targetNodeDomainDetected: + description: The Target Node has seen the Domain Start Event + type: boolean + targetNodeTopology: + description: If the VMI requires dedicated CPUs, this field will + hold the numa topology on the target node + type: string + targetPod: + description: The target pod that the VMI is moving to + type: string + type: object + migrationTransport: + description: This represents the migration transport + type: string + nodeName: + description: NodeName is the name where the VirtualMachineInstance + is currently running. + type: string + phase: + description: Phase is the status of the VirtualMachineInstance in + kubernetes world. It is not the VirtualMachineInstance status, but + partially correlates to it. + type: string + phaseTransitionTimestamps: + description: PhaseTransitionTimestamp is the timestamp of when the + last phase change occurred + items: + description: VirtualMachineInstancePhaseTransitionTimestamp gives + a timestamp in relation to when a phase is set on a vmi + properties: + phase: + description: Phase is the status of the VirtualMachineInstance + in kubernetes world. It is not the VirtualMachineInstance + status, but partially correlates to it. + type: string + phaseTransitionTimestamp: + description: PhaseTransitionTimestamp is the timestamp of when + the phase change occurred + format: date-time + type: string + type: object + type: array + x-kubernetes-list-type: atomic + qosClass: + description: 'The Quality of Service (QOS) classification assigned + to the virtual machine instance based on resource requirements See + PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md' + type: string + reason: + description: A brief CamelCase message indicating details about why + the VMI is in this state. e.g. 'NodeUnresponsive' + type: string + runtimeUser: + description: RuntimeUser is used to determine what user will be used + in launcher + format: int64 + type: integer + selinuxContext: + description: SELinuxContext is the actual SELinux context of the virt-launcher + pod + type: string + topologyHints: + properties: + tscFrequency: + format: int64 + type: integer + type: object + virtualMachineRevisionName: + description: VirtualMachineRevisionName is used to get the vm revision + of the vmi when doing an online vm snapshot + type: string + volumeStatus: + description: VolumeStatus contains the statuses of all the volumes + items: + description: VolumeStatus represents information about the status + of volumes attached to the VirtualMachineInstance. + properties: + hotplugVolume: + description: If the volume is hotplug, this will contain the + hotplug status. + properties: + attachPodName: + description: AttachPodName is the name of the pod used to + attach the volume to the node. + type: string + attachPodUID: + description: AttachPodUID is the UID of the pod used to + attach the volume to the node. + type: string + type: object + memoryDumpVolume: + description: If the volume is memorydump volume, this will contain + the memorydump info. + properties: + claimName: + description: ClaimName is the name of the pvc the memory + was dumped to + type: string + endTimestamp: + description: EndTimestamp is the time when the memory dump + completed + format: date-time + type: string + startTimestamp: + description: StartTimestamp is the time when the memory + dump started + format: date-time + type: string + targetFileName: + description: TargetFileName is the name of the memory dump + output + type: string + type: object + message: + description: Message is a detailed message about the current + hotplug volume phase + type: string + name: + description: Name is the name of the volume + type: string + persistentVolumeClaimInfo: + description: PersistentVolumeClaimInfo is information about + the PVC that handler requires during start flow + properties: + accessModes: + description: 'AccessModes contains the desired access modes + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + x-kubernetes-list-type: atomic + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Capacity represents the capacity set on the + corresponding PVC status + type: object + filesystemOverhead: + description: Percentage of filesystem's size to be reserved + when resizing the PVC + pattern: ^(0(?:\.\d{1,3})?|1)$ + type: string + preallocated: + description: Preallocated indicates if the PVC's storage + is preallocated or not + type: boolean + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Requests represents the resources requested + by the corresponding PVC spec + type: object + volumeMode: + description: VolumeMode defines what type of volume is required + by the claim. Value of Filesystem is implied when not + included in claim spec. + type: string + type: object + phase: + description: Phase is the phase + type: string + reason: + description: Reason is a brief description of why we are in + the current hotplug volume phase + type: string + size: + description: Represents the size of the volume + format: int64 + type: integer + target: + description: 'Target is the target name used when adding the + volume to the VM, eg: vda' + type: string + required: + - name + - target + type: object + type: array + x-kubernetes-list-type: atomic + type: object + required: + - spec + type: object + served: true + storage: false + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + - jsonPath: .status.interfaces[0].ipAddress + name: IP + type: string + - jsonPath: .status.nodeName + name: NodeName + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=='LiveMigratable')].status + name: Live-Migratable + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=='Paused')].status + name: Paused + priority: 1 + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: VirtualMachineInstance is *the* VirtualMachineInstance Definition. + It represents a virtual machine in the runtime environment of kubernetes. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualMachineInstance Spec contains the VirtualMachineInstance + specification. + properties: + accessCredentials: + description: Specifies a set of public keys to inject into the vm + guest + items: + description: AccessCredential represents a credential source that + can be used to authorize remote access to the vm guest Only one + of its members may be specified. + properties: + sshPublicKey: + description: SSHPublicKey represents the source and method of + applying a ssh public key into a guest virtual machine. + properties: + propagationMethod: + description: PropagationMethod represents how the public + key is injected into the vm guest. + properties: + configDrive: + description: ConfigDrivePropagation means that the ssh + public keys are injected into the VM using metadata + using the configDrive cloud-init provider + type: object + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means ssh public keys are dynamically injected into + the vm at runtime via the qemu guest agent. This feature + requires the qemu guest agent to be running within + the guest. + properties: + users: + description: Users represents a list of guest users + that should have the ssh public keys added to + their authorized_keys file. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - users + type: object + type: object + source: + description: Source represents where the public keys are + pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name of the + secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + userPassword: + description: UserPassword represents the source and method for + applying a guest user's password + properties: + propagationMethod: + description: propagationMethod represents how the user passwords + are injected into the vm guest. + properties: + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means passwords are dynamically injected into the + vm at runtime via the qemu guest agent. This feature + requires the qemu guest agent to be running within + the guest. + type: object + type: object + source: + description: Source represents where the user passwords + are pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name of the + secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + type: object + type: array + x-kubernetes-list-type: atomic + affinity: + description: If affinity is specifies, obey all the affinity rules + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. This field is beta-level + and is only honored when PodAffinityNamespaceSelector + feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + This field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters specified + here will be merged to the generated DNS configuration based on + DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This will + be appended to the base nameservers generated from DNSPolicy. + Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will be merged + with the base options generated from DNSPolicy. Duplicated entries + will be removed. Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver options + of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name lookup. + This will be appended to the base search paths generated from + DNSPolicy. Duplicated search paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' + or 'None'. DNS parameters given in DNSConfig will be merged with + the policy selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + domain: + description: Specification of the desired behavior of the VirtualMachineInstance + on the host. + properties: + chassis: + description: Chassis specifies the chassis info passed to the + domain. + properties: + asset: + type: string + manufacturer: + type: string + serial: + type: string + sku: + type: string + version: + type: string + type: object + clock: + description: Clock sets the clock and timers of the vmi. + properties: + timer: + description: Timer specifies whih timers are attached to the + vmi. + properties: + hpet: + description: HPET (High Precision Event Timer) - multiple + timers with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens when + QEMU misses a deadline for injecting a tick to the + guest. One of "delay", "catchup", "merge", "discard". + type: string + type: object + hyperv: + description: Hyperv (Hypervclock) - lets guests read the + host’s wall clock time (paravirtualized). For windows + guests. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + type: object + kvm: + description: "KVM \t(KVM clock) - lets guests read the + host’s wall clock time (paravirtualized). For linux + guests." + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + type: object + pit: + description: PIT (Programmable Interval Timer) - a timer + with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens when + QEMU misses a deadline for injecting a tick to the + guest. One of "delay", "catchup", "discard". + type: string + type: object + rtc: + description: RTC (Real Time Clock) - a continuously running + timer with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure that + the machine type or a preset can't add the timer. + Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens when + QEMU misses a deadline for injecting a tick to the + guest. One of "delay", "catchup". + type: string + track: + description: Track the guest or the wall clock. + type: string + type: object + type: object + timezone: + description: Timezone sets the guest clock to the specified + timezone. Zone name follows the TZ environment variable + format (e.g. 'America/New_York'). + type: string + utc: + description: UTC sets the guest clock to UTC on each boot. + If an offset is specified, guest changes to the clock will + be kept during reboots and are not reset. + properties: + offsetSeconds: + description: OffsetSeconds specifies an offset in seconds, + relative to UTC. If set, guest changes to the clock + will be kept during reboots and not reset. + type: integer + type: object + type: object + cpu: + description: CPU allow specified the detailed CPU topology inside + the vmi. + properties: + cores: + description: Cores specifies the number of cores inside the + vmi. Must be a value greater or equal 1. + format: int32 + type: integer + dedicatedCpuPlacement: + description: DedicatedCPUPlacement requests the scheduler + to place the VirtualMachineInstance on a node with enough + dedicated pCPUs and pin the vCPUs to it. + type: boolean + features: + description: Features specifies the CPU features list inside + the VMI. + items: + description: CPUFeature allows specifying a CPU feature. + properties: + name: + description: Name of the CPU feature + type: string + policy: + description: 'Policy is the CPU feature attribute which + can have the following attributes: force - The + virtual CPU will claim the feature is supported regardless + of it being supported by host CPU. require - Guest + creation will fail unless the feature is supported + by the host CPU or the hypervisor is able to emulate + it. optional - The feature will be supported by virtual + CPU if and only if it is supported by host CPU. disable - + The feature will not be supported by virtual CPU. + forbid - Guest creation will fail if the feature + is supported by host CPU. Defaults to require' + type: string + required: + - name + type: object + type: array + isolateEmulatorThread: + description: IsolateEmulatorThread requests one more dedicated + pCPU to be allocated for the VMI to place the emulator thread + on it. + type: boolean + model: + description: Model specifies the CPU model inside the VMI. + List of available models https://github.com/libvirt/libvirt/tree/master/src/cpu_map. + It is possible to specify special cases like "host-passthrough" + to get the same CPU as the node and "host-model" to get + CPU closest to the node one. Defaults to host-model. + type: string + numa: + description: NUMA allows specifying settings for the guest + NUMA topology + properties: + guestMappingPassthrough: + description: GuestMappingPassthrough will create an efficient + guest topology based on host CPUs exclusively assigned + to a pod. The created topology ensures that memory and + CPUs on the virtual numa nodes never cross boundaries + of host numa nodes. + type: object + type: object + realtime: + description: Realtime instructs the virt-launcher to tune + the VMI for lower latency, optional for real time workloads + properties: + mask: + description: 'Mask defines the vcpu mask expression that + defines which vcpus are used for realtime. Format matches + libvirt''s expressions. Example: "0-3,^1","0,2,3","2-3"' + type: string + type: object + sockets: + description: Sockets specifies the number of sockets inside + the vmi. Must be a value greater or equal 1. + format: int32 + type: integer + threads: + description: Threads specifies the number of threads inside + the vmi. Must be a value greater or equal 1. + format: int32 + type: integer + type: object + devices: + description: Devices allows adding disks, network interfaces, + and others + properties: + autoattachGraphicsDevice: + description: Whether to attach the default graphics device + or not. VNC will not be available if set to false. Defaults + to true. + type: boolean + autoattachInputDevice: + description: Whether to attach an Input Device. Defaults to + false. + type: boolean + autoattachMemBalloon: + description: Whether to attach the Memory balloon device with + default period. Period can be adjusted in virt-config. Defaults + to true. + type: boolean + autoattachPodInterface: + description: Whether to attach a pod network interface. Defaults + to true. + type: boolean + autoattachSerialConsole: + description: Whether to attach the default serial console + or not. Serial console access will not be available if set + to false. Defaults to true. + type: boolean + autoattachVSOCK: + description: Whether to attach the VSOCK CID to the VM or + not. VSOCK access will be available if set to true. Defaults + to false. + type: boolean + blockMultiQueue: + description: Whether or not to enable virtio multi-queue for + block devices. Defaults to false. + type: boolean + clientPassthrough: + description: To configure and access client devices such as + redirecting USB + type: object + disableHotplug: + description: DisableHotplug disabled the ability to hotplug + disks. + type: boolean + disks: + description: Disks describes disks, cdroms and luns which + are connected to the vmi. + items: + properties: + blockSize: + description: If specified, the virtual disk will be + presented with the given block sizes. + properties: + custom: + description: CustomBlockSize represents the desired + logical and physical block size for a VM disk. + properties: + logical: + type: integer + physical: + type: integer + required: + - logical + - physical + type: object + matchVolume: + description: Represents if a feature is enabled + or disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + bootOrder: + description: BootOrder is an integer value > 0, used + to determine ordering of boot devices. Lower values + take precedence. Each disk or interface that has a + boot order must have a unique value. Disks without + a boot order are not tried if a disk with a boot order + exists. + type: integer + cache: + description: 'Cache specifies which kvm disk cache mode + should be used. Supported values are: CacheNone, CacheWriteThrough.' + type: string + cdrom: + description: Attach a volume as a cdrom to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to true. + type: boolean + tray: + description: Tray indicates if the tray of the device + is open or closed. Allowed values are "open" and + "closed". Defaults to closed. + type: string + type: object + dedicatedIOThread: + description: dedicatedIOThread indicates this disk should + have an exclusive IO Thread. Enabling this implies + useIOThreads = true. Defaults to false. + type: boolean + disk: + description: Attach a volume as a disk to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi, + usb.' + type: string + pciAddress: + description: 'If specified, the virtual disk will + be placed on the guests pci address with the specified + PCI address. For example: 0000:81:01.10' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + io: + description: 'IO specifies which QEMU disk IO mode should + be used. Supported values are: native, default, threads.' + type: string + lun: + description: Attach a volume as a LUN to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + name: + description: Name is the device name + type: string + serial: + description: Serial provides the ability to specify + a serial number for the disk device. + type: string + shareable: + description: If specified the disk is made sharable + and multiple write from different VMs are permitted + type: boolean + tag: + description: If specified, disk address and its tag + will be provided to the guest via config drive metadata + type: string + required: + - name + type: object + type: array + filesystems: + description: Filesystems describes filesystem which is connected + to the vmi. + items: + properties: + name: + description: Name is the device name + type: string + virtiofs: + description: Virtiofs is supported + type: object + required: + - name + - virtiofs + type: object + type: array + x-kubernetes-list-type: atomic + gpus: + description: Whether to attach a GPU device to the vmi. + items: + properties: + deviceName: + type: string + name: + description: Name of the GPU device as exposed by a + device plugin + type: string + tag: + description: If specified, the virtual network interface + address and its tag will be provided to the guest + via config drive + type: string + virtualGPUOptions: + properties: + display: + properties: + enabled: + description: Enabled determines if a display + addapter backed by a vGPU should be enabled + or disabled on the guest. Defaults to true. + type: boolean + ramFB: + description: Enables a boot framebuffer, until + the guest OS loads a real GPU driver Defaults + to true. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + type: object + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + hostDevices: + description: Whether to attach a host device to the vmi. + items: + properties: + deviceName: + description: DeviceName is the resource name of the + host device exposed by a device plugin + type: string + name: + type: string + tag: + description: If specified, the virtual network interface + address and its tag will be provided to the guest + via config drive + type: string + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + inputs: + description: Inputs describe input devices + items: + properties: + bus: + description: 'Bus indicates the bus of input device + to emulate. Supported values: virtio, usb.' + type: string + name: + description: Name is the device name + type: string + type: + description: 'Type indicated the type of input device. + Supported values: tablet.' + type: string + required: + - name + - type + type: object + type: array + interfaces: + description: Interfaces describe network interfaces which + are added to the vmi. + items: + properties: + acpiIndex: + description: If specified, the ACPI index is used to + provide network interface device naming, that is stable + across changes in PCI addresses assigned to the device. + This value is required to be unique across all devices + and be between 1 and (16*1024-1). + type: integer + bootOrder: + description: BootOrder is an integer value > 0, used + to determine ordering of boot devices. Lower values + take precedence. Each interface or disk that has a + boot order must have a unique value. Interfaces without + a boot order are not tried. + type: integer + bridge: + description: InterfaceBridge connects to a given network + via a linux bridge. + type: object + dhcpOptions: + description: If specified the network interface will + pass additional DHCP options to the VMI + properties: + bootFileName: + description: If specified will pass option 67 to + interface's DHCP server + type: string + ntpServers: + description: If specified will pass the configured + NTP server to the VM via DHCP option 042. + items: + type: string + type: array + privateOptions: + description: 'If specified will pass extra DHCP + options for private use, range: 224-254' + items: + description: DHCPExtraOptions defines Extra DHCP + options for a VM. + properties: + option: + description: Option is an Integer value from + 224-254 Required. + type: integer + value: + description: Value is a String value for the + Option provided Required. + type: string + required: + - option + - value + type: object + type: array + tftpServerName: + description: If specified will pass option 66 to + interface's DHCP server + type: string + type: object + macAddress: + description: 'Interface MAC address. For example: de:ad:00:00:be:af + or DE-AD-00-00-BE-AF.' + type: string + macvtap: + description: InterfaceMacvtap connects to a given network + by extending the Kubernetes node's L2 networks via + a macvtap interface. + type: object + masquerade: + description: InterfaceMasquerade connects to a given + network using netfilter rules to nat the traffic. + type: object + model: + description: 'Interface model. One of: e1000, e1000e, + ne2k_pci, pcnet, rtl8139, virtio. Defaults to virtio. + TODO:(ihar) switch to enums once opengen-api supports + them. See: https://github.com/kubernetes/kube-openapi/issues/51' + type: string + name: + description: Logical name of the interface as well as + a reference to the associated networks. Must match + the Name of a Network. + type: string + passt: + description: InterfacePasst connects to a given network. + type: object + pciAddress: + description: 'If specified, the virtual network interface + will be placed on the guests pci address with the + specified PCI address. For example: 0000:81:01.10' + type: string + ports: + description: List of ports to be forwarded to the virtual + machine. + items: + description: Port represents a port to expose from + the virtual machine. Default protocol TCP. The port + field is mandatory + properties: + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. + type: string + port: + description: Number of port to expose for the + virtual machine. This must be a valid port number, + 0 < x < 65536. + format: int32 + type: integer + protocol: + description: Protocol for port. Must be UDP or + TCP. Defaults to "TCP". + type: string + required: + - port + type: object + type: array + slirp: + description: InterfaceSlirp connects to a given network + using QEMU user networking mode. + type: object + sriov: + description: InterfaceSRIOV connects to a given network + by passing-through an SR-IOV PCI device via vfio. + type: object + tag: + description: If specified, the virtual network interface + address and its tag will be provided to the guest + via config drive + type: string + required: + - name + type: object + type: array + networkInterfaceMultiqueue: + description: If specified, virtual network interfaces configured + with a virtio bus will also enable the vhost multiqueue + feature for network devices. The number of queues created + depends on additional factors of the VirtualMachineInstance, + like the number of guest CPUs. + type: boolean + rng: + description: Whether to have random number generator from + host + type: object + sound: + description: Whether to emulate a sound device. + properties: + model: + description: 'We only support ich9 or ac97. If SoundDevice + is not set: No sound card is emulated. If SoundDevice + is set but Model is not: ich9' + type: string + name: + description: User's defined name for this sound device + type: string + required: + - name + type: object + tpm: + description: Whether to emulate a TPM device. + type: object + useVirtioTransitional: + description: Fall back to legacy virtio 0.9 support if virtio + bus is selected on devices. This is helpful for old machines + like CentOS6 or RHEL6 which do not understand virtio_non_transitional + (virtio 1.0). + type: boolean + watchdog: + description: Watchdog describes a watchdog device which can + be added to the vmi. + properties: + i6300esb: + description: i6300esb watchdog device. + properties: + action: + description: The action to take. Valid values are + poweroff, reset, shutdown. Defaults to reset. + type: string + type: object + name: + description: Name of the watchdog. + type: string + required: + - name + type: object + type: object + features: + description: Features like acpi, apic, hyperv, smm. + properties: + acpi: + description: ACPI enables/disables ACPI inside the guest. + Defaults to enabled. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + type: object + apic: + description: Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + endOfInterrupt: + description: EndOfInterrupt enables the end of interrupt + notification in the guest. Defaults to false. + type: boolean + type: object + hyperv: + description: Defaults to the machine type setting. + properties: + evmcs: + description: EVMCS Speeds up L2 vmexits, but disables + other virtualization features. Requires vapic. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + frequencies: + description: Frequencies improves the TSC clock source + handling for Hyper-V on KVM. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + ipi: + description: IPI improves performances in overcommited + environments. Requires vpindex. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + reenlightenment: + description: Reenlightenment enables the notifications + on TSC frequency changes. Defaults to the machine type + setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + relaxed: + description: Relaxed instructs the guest OS to disable + watchdog timeouts. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + reset: + description: Reset enables Hyperv reboot/reset for the + vmi. Requires synic. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + runtime: + description: Runtime improves the time accounting to improve + scheduling in the guest. Defaults to the machine type + setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + spinlocks: + description: Spinlocks allows to configure the spinlock + retry attempts. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + spinlocks: + description: Retries indicates the number of retries. + Must be a value greater or equal 4096. Defaults + to 4096. + format: int32 + type: integer + type: object + synic: + description: SyNIC enables the Synthetic Interrupt Controller. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + synictimer: + description: SyNICTimer enables Synthetic Interrupt Controller + Timers, reducing CPU load. Defaults to the machine type + setting. + properties: + direct: + description: Represents if a feature is enabled or + disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + enabled: + type: boolean + type: object + tlbflush: + description: TLBFlush improves performances in overcommited + environments. Requires vpindex. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + vapic: + description: VAPIC improves the paravirtualized handling + of interrupts. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + vendorid: + description: VendorID allows setting the hypervisor vendor + id. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + vendorid: + description: VendorID sets the hypervisor vendor id, + visible to the vmi. String up to twelve characters. + type: string + type: object + vpindex: + description: VPIndex enables the Virtual Processor Index + to help windows identifying virtual processors. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to + true. + type: boolean + type: object + type: object + kvm: + description: Configure how KVM presence is exposed to the + guest. + properties: + hidden: + description: Hide the KVM hypervisor from standard MSR + based discovery. Defaults to false + type: boolean + type: object + pvspinlock: + description: Notify the guest that the host supports paravirtual + spinlocks. For older kernels this feature should be explicitly + disabled. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + type: object + smm: + description: SMM enables/disables System Management Mode. + TSEG not yet implemented. + properties: + enabled: + description: Enabled determines if the feature should + be enabled or disabled on the guest. Defaults to true. + type: boolean + type: object + type: object + firmware: + description: Firmware. + properties: + bootloader: + description: Settings to control the bootloader that is used. + properties: + bios: + description: If set (default), BIOS will be used. + properties: + useSerial: + description: If set, the BIOS output will be transmitted + over serial + type: boolean + type: object + efi: + description: If set, EFI will be used instead of BIOS. + properties: + secureBoot: + description: If set, SecureBoot will be enabled and + the OVMF roms will be swapped for SecureBoot-enabled + ones. Requires SMM to be enabled. Defaults to true + type: boolean + type: object + type: object + kernelBoot: + description: Settings to set the kernel for booting. + properties: + container: + description: Container defines the container that containes + kernel artifacts + properties: + image: + description: Image that contains initrd / kernel files. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag + is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of the Docker + registry secret required to pull the image. The + secret must already exist. + type: string + initrdPath: + description: the fully-qualified path to the ramdisk + image in the host OS + type: string + kernelPath: + description: The fully-qualified path to the kernel + image in the host OS + type: string + required: + - image + type: object + kernelArgs: + description: Arguments to be passed to the kernel at boot + time + type: string + type: object + serial: + description: The system-serial-number in SMBIOS + type: string + uuid: + description: UUID reported by the vmi bios. Defaults to a + random generated uid. + type: string + type: object + ioThreadsPolicy: + description: 'Controls whether or not disks will share IOThreads. + Omitting IOThreadsPolicy disables use of IOThreads. One of: + shared, auto' + type: string + launchSecurity: + description: Launch Security setting of the vmi. + properties: + sev: + description: AMD Secure Encrypted Virtualization (SEV). + type: object + type: object + machine: + description: Machine type. + properties: + type: + description: QEMU machine type is the actual chipset of the + VirtualMachineInstance. + type: string + type: object + memory: + description: Memory allow specifying the VMI memory features. + properties: + guest: + anyOf: + - type: integer + - type: string + description: Guest allows to specifying the amount of memory + which is visible inside the Guest OS. The Guest must lie + between Requests and Limits from the resources section. + Defaults to the requested memory in the resources section + if not specified. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + hugepages: + description: Hugepages allow to use hugepages for the VirtualMachineInstance + instead of regular memory. + properties: + pageSize: + description: PageSize specifies the hugepage size, for + x86_64 architecture valid values are 1Gi and 2Mi. + type: string + type: object + type: object + resources: + description: Resources describes the Compute Resources required + by this vmi. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Limits describes the maximum amount of compute + resources allowed. Valid resource keys are "memory" and + "cpu". + type: object + overcommitGuestOverhead: + description: Don't ask the scheduler to take the guest-management + overhead into account. Instead put the overhead only into + the container's memory limit. This can lead to crashes if + all memory is in use on a node. Defaults to false. + type: boolean + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Requests is a description of the initial vmi + resources. Valid resource keys are "memory" and "cpu". + type: object + type: object + required: + - devices + type: object + evictionStrategy: + description: EvictionStrategy can be set to "LiveMigrate" if the VirtualMachineInstance + should be migrated instead of shut-off in case of a node drain. + type: string + hostname: + description: Specifies the hostname of the vmi If not specified, the + hostname will be set to the name of the vmi, if dhcp or cloud-init + is configured properly. + type: string + livenessProbe: + description: 'Periodic probe of VirtualMachineInstance liveness. VirtualmachineInstances + will be stopped if the probe fails. Cannot be updated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. + Exec specifies the action to take, it will be executed on the + guest through the qemu-guest-agent. If the guest agent is not + available, this probe will fail. + properties: + command: + description: Command is the command line to execute inside + the container, the working directory for the command is + root ('/') in the container's filesystem. The command is + simply exec'd, it is not run inside a shell, so traditional + shell instructions ('|', etc) won't work. To use a shell, + you need to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent for + availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod + IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows + repeated headers. + items: + description: HTTPHeader describes a custom header to be + used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults + to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default + to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. Defaults to 1. Must + be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. + TCP hooks not yet supported TODO: implement a realistic TCP + lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. + For exec probes the timeout fails the probe but does not terminate + the command running on the guest. This means a blocking command + can result in an increasing load on the guest. A small buffer + will be added to the resulting workload exec probe to compensate + for delays caused by the qemu guest exec mechanism. Defaults + to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + networks: + description: List of networks that can be attached to a vm's virtual + interface. + items: + description: Network represents a network type and a resource that + should be connected to the vm. + properties: + multus: + description: Represents the multus cni network. + properties: + default: + description: Select the default network and add it to the + multus-cni.io/default-network annotation. + type: boolean + networkName: + description: 'References to a NetworkAttachmentDefinition + CRD object. Format: , /. + If namespace is not specified, VMI namespace is assumed.' + type: string + required: + - networkName + type: object + name: + description: 'Network name. Must be a DNS_LABEL and unique within + the vm. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pod: + description: Represents the stock pod network interface. + properties: + vmIPv6NetworkCIDR: + description: IPv6 CIDR for the vm network. Defaults to fd10:0:2::/120 + if not specified. + type: string + vmNetworkCIDR: + description: CIDR for vm network. Default 10.0.2.0/24 if + not specified. + type: string + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + vmi to fit on a node. Selector which must match a node''s labels + for the vmi to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, indicates the pod's priority. If not specified, + the pod priority will be default or zero if there is no default. + type: string + readinessProbe: + description: 'Periodic probe of VirtualMachineInstance service readiness. + VirtualmachineInstances will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should be specified. + Exec specifies the action to take, it will be executed on the + guest through the qemu-guest-agent. If the guest agent is not + available, this probe will fail. + properties: + command: + description: Command is the command line to execute inside + the container, the working directory for the command is + root ('/') in the container's filesystem. The command is + simply exec'd, it is not run inside a shell, so traditional + shell instructions ('|', etc) won't work. To use a shell, + you need to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent for + availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the pod + IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows + repeated headers. + items: + description: HTTPHeader describes a custom header to be + used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults + to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. Default + to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. Defaults to 1. Must + be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving a TCP port. + TCP hooks not yet supported TODO: implement a realistic TCP + lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on the container. + Number must be in the range 1 to 65535. Name must be an + IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe times out. + For exec probes the timeout fails the probe but does not terminate + the command running on the guest. This means a blocking command + can result in an increasing load on the guest. A small buffer + will be added to the resulting workload exec probe to compensate + for delays caused by the qemu guest exec mechanism. Defaults + to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + schedulerName: + description: If specified, the VMI will be dispatched by specified + scheduler. If not specified, the VMI will be dispatched by default + scheduler. + type: string + startStrategy: + description: StartStrategy can be set to "Paused" if Virtual Machine + should be started in paused state. + type: string + subdomain: + description: If specified, the fully qualified vmi hostname will be + "...svc.". If + not specified, the vmi will not have a domainname at all. The DNS + entry will resolve to the vmi, no matter if the vmi itself can pick + up a hostname. + type: string + terminationGracePeriodSeconds: + description: Grace period observed after signalling a VirtualMachineInstance + to stop after which the VirtualMachineInstance is force terminated. + format: int64 + type: integer + tolerations: + description: If toleration is specified, obey all the toleration rules. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group of VMIs + will be spread across a given topology domains. K8s scheduler will + schedule VMI pods in a way which abides by the constraints. + items: + description: TopologySpreadConstraint specifies how to spread matching + pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. Pods + that match this label selector are counted to determine the + number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + maxSkew: + description: 'MaxSkew describes the degree to which pods may + be unevenly distributed. When ''whenUnsatisfiable=DoNotSchedule'', + it is the maximum permitted difference between the number + of matching pods in the target topology and the global minimum. + For example, in a 3-zone cluster, MaxSkew is set to 1, and + pods with the same labelSelector spread as 1/1/0: | zone1 + | zone2 | zone3 | | P | P | | - if MaxSkew is + 1, incoming pod can only be scheduled to zone3 to become 1/1/1; + scheduling it onto zone1(zone2) would make the ActualSkew(2-0) + on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming + pod can be scheduled onto any zone. When ''whenUnsatisfiable=ScheduleAnyway'', + it is used to give higher precedence to topologies that satisfy + it. It''s a required field. Default value is 1 and 0 is not + allowed.' + format: int32 + type: integer + topologyKey: + description: TopologyKey is the key of node labels. Nodes that + have a label with this key and identical values are considered + to be in the same topology. We consider each + as a "bucket", and try to put balanced number of pods into + each bucket. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with a + pod if it doesn''t satisfy the spread constraint. - DoNotSchedule + (default) tells the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any location, but + giving higher precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" for + an incoming pod if and only if every possible node assignment + for that pod would violate "MaxSkew" on some topology. For + example, in a 3-zone cluster, MaxSkew is set to 1, and pods + with the same labelSelector spread as 3/1/1: | zone1 | zone2 + | zone3 | | P P P | P | P | If WhenUnsatisfiable is + set to DoNotSchedule, incoming pod can only be scheduled to + zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on + zone2(zone3) satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make it *more* + imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: List of volumes that can be mounted by disks belonging + to the vmi. + items: + description: Volume represents a named volume in a vmi. + properties: + cloudInitConfigDrive: + description: 'CloudInitConfigDrive represents a cloud-init Config + Drive user-data source. The Config Drive data will be added + as a disk to the vmi. A proper cloud-init installation is + required inside the guest. More info: https://cloudinit.readthedocs.io/en/latest/topics/datasources/configdrive.html' + properties: + networkData: + description: NetworkData contains config drive inline cloud-init + networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains config drive cloud-init + networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s secret + that contains config drive networkdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s secret that + contains config drive userdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + userData: + description: UserData contains config drive inline cloud-init + userdata. + type: string + userDataBase64: + description: UserDataBase64 contains config drive cloud-init + userdata as a base64 encoded string. + type: string + type: object + cloudInitNoCloud: + description: 'CloudInitNoCloud represents a cloud-init NoCloud + user-data source. The NoCloud data will be added as a disk + to the vmi. A proper cloud-init installation is required inside + the guest. More info: http://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html' + properties: + networkData: + description: NetworkData contains NoCloud inline cloud-init + networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains NoCloud cloud-init + networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s secret + that contains NoCloud networkdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s secret that + contains NoCloud userdata. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + userData: + description: UserData contains NoCloud inline cloud-init + userdata. + type: string + userDataBase64: + description: UserDataBase64 contains NoCloud cloud-init + userdata as a base64 encoded string. + type: string + type: object + configMap: + description: 'ConfigMapSource represents a reference to a ConfigMap + in the same namespace. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or it's keys + must be defined + type: boolean + volumeLabel: + description: The volume label of the resulting disk inside + the VMI. Different bootstrapping mechanisms require different + values. Typical values are "cidata" (cloud-init), "config-2" + (cloud-init) or "OEMDRV" (kickstart). + type: string + type: object + containerDisk: + description: 'ContainerDisk references a docker image, embedding + a qcow or raw disk. More info: https://kubevirt.gitbooks.io/user-guide/registry-disk.html' + properties: + image: + description: Image is the name of the image with the embedded + disk. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of the Docker registry + secret required to pull the image. The secret must already + exist. + type: string + path: + description: Path defines the path to disk file in the container + type: string + required: + - image + type: object + dataVolume: + description: DataVolume represents the dynamic creation a PVC + for this volume as well as the process of populating that + PVC with a disk image. + properties: + hotpluggable: + description: Hotpluggable indicates whether the volume can + be hotplugged and hotunplugged. + type: boolean + name: + description: Name of both the DataVolume and the PVC in + the same namespace. After PVC population the DataVolume + is garbage collected by default. + type: string + required: + - name + type: object + downwardAPI: + description: DownwardAPI represents downward API about the pod + that should populate this volume + properties: + fields: + description: Fields is a list of downward API volume file + items: + description: DownwardAPIVolumeFile represents information + to create the file containing the pod field + properties: + fieldRef: + description: 'Required: Selects a field of the pod: + only annotations, labels, name and namespace are + supported.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + mode: + description: 'Optional: mode bits used to set permissions + on this file, must be an octal value between 0000 + and 0777 or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This might + be in conflict with other options that affect the + file mode, like fsGroup, and the result can be other + mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative path + name of the file to be created. Must not be absolute + or contain the ''..'' path. Must be utf-8 encoded. + The first item of the relative path must not start + with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + volumeLabel: + description: The volume label of the resulting disk inside + the VMI. Different bootstrapping mechanisms require different + values. Typical values are "cidata" (cloud-init), "config-2" + (cloud-init) or "OEMDRV" (kickstart). + type: string + type: object + downwardMetrics: + description: DownwardMetrics adds a very small disk to VMIs + which contains a limited view of host and guest metrics. The + disk content is compatible with vhostmd (https://github.com/vhostmd/vhostmd) + and vm-dump-metrics. + type: object + emptyDisk: + description: 'EmptyDisk represents a temporary disk which shares + the vmis lifecycle. More info: https://kubevirt.gitbooks.io/user-guide/disks-and-volumes.html' + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - capacity + type: object + ephemeral: + description: Ephemeral is a special volume source that "wraps" + specified source and provides copy-on-write image on top of + it. + properties: + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same namespace. + Directly attached to the vmi via qemu. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + type: object + hostDisk: + description: HostDisk represents a disk created on the cluster + level + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + path: + description: The path to HostDisk image located on the cluster + type: string + shared: + description: Shared indicate whether the path is shared + between nodes + type: boolean + type: + description: Contains information if disk.img exists or + should be created allowed options are 'Disk' and 'DiskOrCreate' + type: string + required: + - path + - type + type: object + memoryDump: + description: MemoryDump is attached to the virt launcher and + is populated with a memory dump of the vmi + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the volume can + be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + name: + description: 'Volume''s name. Must be a DNS_LABEL and unique + within the vmi. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents a + reference to a PersistentVolumeClaim in the same namespace. + Directly attached to the vmi via qemu. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the volume can + be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + secret: + description: 'SecretVolumeSource represents a reference to a + secret data in the same namespace. More info: https://kubernetes.io/docs/concepts/configuration/secret/' + properties: + optional: + description: Specify whether the Secret or it's keys must + be defined + type: boolean + secretName: + description: 'Name of the secret in the pod''s namespace + to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + volumeLabel: + description: The volume label of the resulting disk inside + the VMI. Different bootstrapping mechanisms require different + values. Typical values are "cidata" (cloud-init), "config-2" + (cloud-init) or "OEMDRV" (kickstart). + type: string + type: object + serviceAccount: + description: 'ServiceAccountVolumeSource represents a reference + to a service account. There can only be one volume of this + type! More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + properties: + serviceAccountName: + description: 'Name of the service account in the pod''s + namespace to use. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + type: object + sysprep: + description: Represents a Sysprep volume source. + properties: + configMap: + description: ConfigMap references a ConfigMap that contains + Sysprep answer file named autounattend.xml that should + be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + secret: + description: Secret references a k8s Secret that contains + Sysprep answer file named autounattend.xml that should + be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: object + required: + - name + type: object + type: array + required: + - domain + type: object + status: + description: Status is the high level overview of how the VirtualMachineInstance + is doing. It contains information available to controllers and users. + properties: + VSOCKCID: + description: VSOCKCID is used to track the allocated VSOCK CID in + the VM. + format: int32 + type: integer + activePods: + additionalProperties: + type: string + description: ActivePods is a mapping of pod UID to node name. It is + possible for multiple pods to be running for a single VMI during + migration. + type: object + conditions: + description: Conditions are specific points in VirtualMachineInstance's + pod runtime. + items: + properties: + lastProbeTime: + format: date-time + nullable: true + type: string + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + evacuationNodeName: + description: EvacuationNodeName is used to track the eviction process + of a VMI. It stores the name of the node that we want to evacuate. + It is meant to be used by KubeVirt core components only and can't + be set or modified by users. + type: string + fsFreezeStatus: + description: FSFreezeStatus is the state of the fs of the guest it + can be either frozen or thawed + type: string + guestOSInfo: + description: Guest OS Information + properties: + id: + description: Guest OS Id + type: string + kernelRelease: + description: Guest OS Kernel Release + type: string + kernelVersion: + description: Kernel version of the Guest OS + type: string + machine: + description: Machine type of the Guest OS + type: string + name: + description: Name of the Guest OS + type: string + prettyName: + description: Guest OS Pretty Name + type: string + version: + description: Guest OS Version + type: string + versionId: + description: Version ID of the Guest OS + type: string + type: object + interfaces: + description: Interfaces represent the details of available network + interfaces. + items: + properties: + infoSource: + description: 'Specifies the origin of the interface data collected. + values: domain, guest-agent, or both' + type: string + interfaceName: + description: The interface name inside the Virtual Machine + type: string + ipAddress: + description: IP address of a Virtual Machine interface. It is + always the first item of IPs + type: string + ipAddresses: + description: List of all IP addresses of a Virtual Machine interface + items: + type: string + type: array + mac: + description: Hardware address of a Virtual Machine interface + type: string + name: + description: Name of the interface, corresponds to name of the + network assigned to the interface + type: string + queueCount: + description: Specifies how many queues are allocated by MultiQueue + format: int32 + type: integer + type: object + type: array + launcherContainerImageVersion: + description: LauncherContainerImageVersion indicates what container + image is currently active for the vmi. + type: string + migrationMethod: + description: 'Represents the method using which the vmi can be migrated: + live migration or block migration' + type: string + migrationState: + description: Represents the status of a live migration + properties: + abortRequested: + description: Indicates that the migration has been requested to + abort + type: boolean + abortStatus: + description: Indicates the final status of the live migration + abortion + type: string + completed: + description: Indicates the migration completed + type: boolean + endTimestamp: + description: The time the migration action ended + format: date-time + nullable: true + type: string + failed: + description: Indicates that the migration failed + type: boolean + migrationConfiguration: + description: Migration configurations to apply + properties: + allowAutoConverge: + description: AllowAutoConverge allows the platform to compromise + performance/availability of VMIs to guarantee successful + VMI live migrations. Defaults to false + type: boolean + allowPostCopy: + description: AllowPostCopy enables post-copy live migrations. + Such migrations allow even the busiest VMIs to successfully + live-migrate. However, events like a network failure can + cause a VMI crash. If set to true, migrations will still + start in pre-copy, but switch to post-copy when CompletionTimeoutPerGiB + triggers. Defaults to false + type: boolean + bandwidthPerMigration: + anyOf: + - type: integer + - type: string + description: BandwidthPerMigration limits the amount of network + bandwith live migrations are allowed to use. The value is + in quantity per second. Defaults to 0 (no limit) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + completionTimeoutPerGiB: + description: CompletionTimeoutPerGiB is the maximum number + of seconds per GiB a migration is allowed to take. If a + live-migration takes longer to migrate than this value multiplied + by the size of the VMI, the migration will be cancelled, + unless AllowPostCopy is true. Defaults to 800 + format: int64 + type: integer + disableTLS: + description: When set to true, DisableTLS will disable the + additional layer of live migration encryption provided by + KubeVirt. This is usually a bad idea. Defaults to false + type: boolean + network: + description: Network is the name of the CNI network to use + for live migrations. By default, migrations go through the + pod network. + type: string + nodeDrainTaintKey: + description: 'NodeDrainTaintKey defines the taint key that + indicates a node should be drained. Note: this option relies + on the deprecated node taint feature. Default: kubevirt.io/drain' + type: string + parallelMigrationsPerCluster: + description: ParallelMigrationsPerCluster is the total number + of concurrent live migrations allowed cluster-wide. Defaults + to 5 + format: int32 + type: integer + parallelOutboundMigrationsPerNode: + description: ParallelOutboundMigrationsPerNode is the maximum + number of concurrent outgoing live migrations allowed per + node. Defaults to 2 + format: int32 + type: integer + progressTimeout: + description: ProgressTimeout is the maximum number of seconds + a live migration is allowed to make no progress. Hitting + this timeout means a migration transferred 0 data for that + many seconds. The migration is then considered stuck and + therefore cancelled. Defaults to 150 + format: int64 + type: integer + unsafeMigrationOverride: + description: UnsafeMigrationOverride allows live migrations + to occur even if the compatibility check indicates the migration + will be unsafe to the guest. Defaults to false + type: boolean + type: object + migrationPolicyName: + description: Name of the migration policy. If string is empty, + no policy is matched + type: string + migrationUid: + description: The VirtualMachineInstanceMigration object associated + with this migration + type: string + mode: + description: Lets us know if the vmi is currently running pre + or post copy migration + type: string + sourceNode: + description: The source node that the VMI originated on + type: string + startTimestamp: + description: The time the migration action began + format: date-time + nullable: true + type: string + targetAttachmentPodUID: + description: The UID of the target attachment pod for hotplug + volumes + type: string + targetCPUSet: + description: If the VMI requires dedicated CPUs, this field will + hold the dedicated CPU set on the target node + items: + type: integer + type: array + x-kubernetes-list-type: atomic + targetDirectMigrationNodePorts: + additionalProperties: + type: integer + description: The list of ports opened for live migration on the + destination node + type: object + targetNode: + description: The target node that the VMI is moving to + type: string + targetNodeAddress: + description: The address of the target node to use for the migration + type: string + targetNodeDomainDetected: + description: The Target Node has seen the Domain Start Event + type: boolean + targetNodeTopology: + description: If the VMI requires dedicated CPUs, this field will + hold the numa topology on the target node + type: string + targetPod: + description: The target pod that the VMI is moving to + type: string + type: object + migrationTransport: + description: This represents the migration transport + type: string + nodeName: + description: NodeName is the name where the VirtualMachineInstance + is currently running. + type: string + phase: + description: Phase is the status of the VirtualMachineInstance in + kubernetes world. It is not the VirtualMachineInstance status, but + partially correlates to it. + type: string + phaseTransitionTimestamps: + description: PhaseTransitionTimestamp is the timestamp of when the + last phase change occurred + items: + description: VirtualMachineInstancePhaseTransitionTimestamp gives + a timestamp in relation to when a phase is set on a vmi + properties: + phase: + description: Phase is the status of the VirtualMachineInstance + in kubernetes world. It is not the VirtualMachineInstance + status, but partially correlates to it. + type: string + phaseTransitionTimestamp: + description: PhaseTransitionTimestamp is the timestamp of when + the phase change occurred + format: date-time + type: string + type: object + type: array + x-kubernetes-list-type: atomic + qosClass: + description: 'The Quality of Service (QOS) classification assigned + to the virtual machine instance based on resource requirements See + PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md' + type: string + reason: + description: A brief CamelCase message indicating details about why + the VMI is in this state. e.g. 'NodeUnresponsive' + type: string + runtimeUser: + description: RuntimeUser is used to determine what user will be used + in launcher + format: int64 + type: integer + selinuxContext: + description: SELinuxContext is the actual SELinux context of the virt-launcher + pod + type: string + topologyHints: + properties: + tscFrequency: + format: int64 + type: integer + type: object + virtualMachineRevisionName: + description: VirtualMachineRevisionName is used to get the vm revision + of the vmi when doing an online vm snapshot + type: string + volumeStatus: + description: VolumeStatus contains the statuses of all the volumes + items: + description: VolumeStatus represents information about the status + of volumes attached to the VirtualMachineInstance. + properties: + hotplugVolume: + description: If the volume is hotplug, this will contain the + hotplug status. + properties: + attachPodName: + description: AttachPodName is the name of the pod used to + attach the volume to the node. + type: string + attachPodUID: + description: AttachPodUID is the UID of the pod used to + attach the volume to the node. + type: string + type: object + memoryDumpVolume: + description: If the volume is memorydump volume, this will contain + the memorydump info. + properties: + claimName: + description: ClaimName is the name of the pvc the memory + was dumped to + type: string + endTimestamp: + description: EndTimestamp is the time when the memory dump + completed + format: date-time + type: string + startTimestamp: + description: StartTimestamp is the time when the memory + dump started + format: date-time + type: string + targetFileName: + description: TargetFileName is the name of the memory dump + output + type: string + type: object + message: + description: Message is a detailed message about the current + hotplug volume phase + type: string + name: + description: Name is the name of the volume + type: string + persistentVolumeClaimInfo: + description: PersistentVolumeClaimInfo is information about + the PVC that handler requires during start flow + properties: + accessModes: + description: 'AccessModes contains the desired access modes + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + x-kubernetes-list-type: atomic + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Capacity represents the capacity set on the + corresponding PVC status + type: object + filesystemOverhead: + description: Percentage of filesystem's size to be reserved + when resizing the PVC + pattern: ^(0(?:\.\d{1,3})?|1)$ + type: string + preallocated: + description: Preallocated indicates if the PVC's storage + is preallocated or not + type: boolean + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Requests represents the resources requested + by the corresponding PVC spec + type: object + volumeMode: + description: VolumeMode defines what type of volume is required + by the claim. Value of Filesystem is implied when not + included in claim spec. + type: string + type: object + phase: + description: Phase is the phase + type: string + reason: + description: Reason is a brief description of why we are in + the current hotplug volume phase + type: string + size: + description: Represents the size of the volume + format: int64 + type: integer + target: + description: 'Target is the target name used when adding the + volume to the VM, eg: vda' + type: string + required: + - name + - target + type: object + type: array + x-kubernetes-list-type: atomic + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + kubevirt.io/generation: "2" + kubevirt.io/install-strategy-identifier: f284f9b3b6574d03341121bb215a2c8d64d8e290 + kubevirt.io/install-strategy-registry: quay.io/kubevirt + kubevirt.io/install-strategy-version: v0.59.1 + generation: 1 + labels: + app.kubernetes.io/component: kubevirt + app.kubernetes.io/managed-by: virt-operator + kubevirt.io: "" + name: virtualmachines.kubevirt.io +spec: + conversion: + strategy: None + group: kubevirt.io + names: + categories: + - all + kind: VirtualMachine + listKind: VirtualMachineList + plural: virtualmachines + shortNames: + - vm + - vms + singular: virtualmachine + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Human Readable Status + jsonPath: .status.printableStatus + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + name: v1 + schema: + openAPIV3Schema: + description: VirtualMachine handles the VirtualMachines that are not running + or are in a stopped state The VirtualMachine contains the template to create + the VirtualMachineInstance. It also mirrors the running state of the created + VirtualMachineInstance in its status. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec contains the specification of VirtualMachineInstance + created + properties: + dataVolumeTemplates: + description: dataVolumeTemplates is a list of dataVolumes that the + VirtualMachineInstance template can reference. DataVolumes in this + list are dynamically created for the VirtualMachine and are tied + to the VirtualMachine's life-cycle. + items: + nullable: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + spec: + description: DataVolumeSpec contains the DataVolume specification. + properties: + checkpoints: + description: Checkpoints is a list of DataVolumeCheckpoints, + representing stages in a multistage import. + items: + description: DataVolumeCheckpoint defines a stage in a + warm migration. + properties: + current: + description: Current is the identifier of the snapshot + created for this checkpoint. + type: string + previous: + description: Previous is the identifier of the snapshot + from the previous checkpoint. + type: string + required: + - current + - previous + type: object + type: array + contentType: + description: 'DataVolumeContentType options: "kubevirt", + "archive"' + enum: + - kubevirt + - archive + type: string + finalCheckpoint: + description: FinalCheckpoint indicates whether the current + DataVolumeCheckpoint is the final checkpoint. + type: boolean + preallocation: + description: Preallocation controls whether storage for + DataVolumes should be allocated in advance. + type: boolean + priorityClassName: + description: PriorityClassName for Importer, Cloner and + Uploader pod + type: string + pvc: + description: PVC is the PVC specification + properties: + accessModes: + description: 'AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'This field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified + data source, it will create a new volume based on + the contents of the specified data source. If the + AnyVolumeDataSource feature gate is enabled, this + field will always have the same contents as the DataSourceRef + field.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + dataSourceRef: + description: 'Specifies the object from which to populate + the volume with data, if a non-empty volume is desired. + This may be any local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, volume binding + will only succeed if the type of the specified object + matches some installed volume populator or dynamic + provisioner. This field will replace the functionality + of the DataSource field and as such if both fields + are non-empty, they must have the same value. For + backwards compatibility, both fields (DataSource and + DataSourceRef) will be set to the same value automatically + if one of them is empty and the other is non-empty. + There are two important differences between DataSource + and DataSourceRef: * While DataSource only allows + two specific types of objects, DataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While DataSource ignores disallowed values + (dropping them), DataSourceRef preserves all values, + and generates an error if a disallowed value is specified. + (Alpha) Using this field requires the AnyVolumeDataSource + feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + resources: + description: 'Resources represents the minimum resources + the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to specify resource + requirements that are lower than previous value but + must still be higher than capacity recorded in the + status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: A label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + storageClassName: + description: 'Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: VolumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + source: + description: Source is the src of the data for the requested + DataVolume + properties: + blank: + description: DataVolumeBlankImage provides the parameters + to create a new raw blank image for the PVC + type: object + http: + description: DataVolumeSourceHTTP can be either an http + or https endpoint, with an optional basic auth user + name and password, and an optional configmap containing + additional CAs + properties: + certConfigMap: + description: CertConfigMap is a configmap reference, + containing a Certificate Authority(CA) public + key, and a base64 encoded pem certificate + type: string + extraHeaders: + description: ExtraHeaders is a list of strings containing + extra headers to include with HTTP transfer requests + items: + type: string + type: array + secretExtraHeaders: + description: SecretExtraHeaders is a list of Secret + references, each containing an extra HTTP header + that may include sensitive information + items: + type: string + type: array + secretRef: + description: SecretRef A Secret reference, the secret + should contain accessKeyId (user name) base64 + encoded, and secretKey (password) also base64 + encoded + type: string + url: + description: URL is the URL of the http(s) endpoint + type: string + required: + - url + type: object + imageio: + description: DataVolumeSourceImageIO provides the parameters + to create a Data Volume from an imageio source + properties: + certConfigMap: + description: CertConfigMap provides a reference + to the CA cert + type: string + diskId: + description: DiskID provides id of a disk to be + imported + type: string + secretRef: + description: SecretRef provides the secret reference + needed to access the ovirt-engine + type: string + url: + description: URL is the URL of the ovirt-engine + type: string + required: + - diskId + - url + type: object + pvc: + description: DataVolumeSourcePVC provides the parameters + to create a Data Volume from an existing PVC + properties: + name: + description: The name of the source PVC + type: string + namespace: + description: The namespace of the source PVC + type: string + required: + - name + - namespace + type: object + registry: + description: DataVolumeSourceRegistry provides the parameters + to create a Data Volume from an registry source + properties: + certConfigMap: + description: CertConfigMap provides a reference + to the Registry certs + type: string + imageStream: + description: ImageStream is the name of image stream + for import + type: string + pullMethod: + description: PullMethod can be either "pod" (default + import), or "node" (node docker cache based import) + type: string + secretRef: + description: SecretRef provides the secret reference + needed to access the Registry source + type: string + url: + description: 'URL is the url of the registry source + (starting with the scheme: docker, oci-archive)' + type: string + type: object + s3: + description: DataVolumeSourceS3 provides the parameters + to create a Data Volume from an S3 source + properties: + certConfigMap: + description: CertConfigMap is a configmap reference, + containing a Certificate Authority(CA) public + key, and a base64 encoded pem certificate + type: string + secretRef: + description: SecretRef provides the secret reference + needed to access the S3 source + type: string + url: + description: URL is the url of the S3 source + type: string + required: + - url + type: object + upload: + description: DataVolumeSourceUpload provides the parameters + to create a Data Volume by uploading the source + type: object + vddk: + description: DataVolumeSourceVDDK provides the parameters + to create a Data Volume from a Vmware source + properties: + backingFile: + description: BackingFile is the path to the virtual + hard disk to migrate from vCenter/ESXi + type: string + initImageURL: + description: InitImageURL is an optional URL to + an image containing an extracted VDDK library, + overrides v2v-vmware config map + type: string + secretRef: + description: SecretRef provides a reference to a + secret containing the username and password needed + to access the vCenter or ESXi host + type: string + thumbprint: + description: Thumbprint is the certificate thumbprint + of the vCenter or ESXi host + type: string + url: + description: URL is the URL of the vCenter or ESXi + host with the VM to migrate + type: string + uuid: + description: UUID is the UUID of the virtual machine + that the backing file is attached to in vCenter/ESXi + type: string + type: object + type: object + sourceRef: + description: SourceRef is an indirect reference to the source + of data for the requested DataVolume + properties: + kind: + description: The kind of the source reference, currently + only "DataSource" is supported + type: string + name: + description: The name of the source reference + type: string + namespace: + description: The namespace of the source reference, + defaults to the DataVolume namespace + type: string + required: + - kind + - name + type: object + storage: + description: Storage is the requested storage specification + properties: + accessModes: + description: 'AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'This field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) * An existing + custom resource that implements data population (Alpha) + In order to use custom resource types that implement + data population, the AnyVolumeDataSource feature gate + must be enabled. If the provisioner or an external + controller can support the specified data source, + it will create a new volume based on the contents + of the specified data source.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + resources: + description: 'Resources represents the minimum resources + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: A label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + storageClassName: + description: 'Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: VolumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + type: object + status: + description: DataVolumeTemplateDummyStatus is here simply for + backwards compatibility with a previous API. + nullable: true + type: object + required: + - spec + type: object + type: array + instancetype: + description: InstancetypeMatcher references a instancetype that is + used to fill fields in Template + properties: + inferFromVolume: + description: InferFromVolume lists the name of a volume that should + be used to infer or discover the instancetype to be used through + known annotations on the underlying resource. Once applied to + the InstancetypeMatcher this field is removed. + type: string + kind: + description: 'Kind specifies which instancetype resource is referenced. + Allowed values are: "VirtualMachineInstancetype" and "VirtualMachineClusterInstancetype". + If not specified, "VirtualMachineClusterInstancetype" is used + by default.' + type: string + name: + description: Name is the name of the VirtualMachineInstancetype + or VirtualMachineClusterInstancetype + type: string + revisionName: + description: RevisionName specifies a ControllerRevision containing + a specific copy of the VirtualMachineInstancetype or VirtualMachineClusterInstancetype + to be used. This is initially captured the first time the instancetype + is applied to the VirtualMachineInstance. + type: string + type: object + preference: + description: PreferenceMatcher references a set of preference that + is used to fill fields in Template + properties: + inferFromVolume: + description: InferFromVolume lists the name of a volume that should + be used to infer or discover the preference to be used through + known annotations on the underlying resource. Once applied to + the PreferenceMatcher this field is removed. + type: string + kind: + description: 'Kind specifies which preference resource is referenced. + Allowed values are: "VirtualMachinePreference" and "VirtualMachineClusterPreference". + If not specified, "VirtualMachineClusterPreference" is used + by default.' + type: string + name: + description: Name is the name of the VirtualMachinePreference + or VirtualMachineClusterPreference + type: string + revisionName: + description: RevisionName specifies a ControllerRevision containing + a specific copy of the VirtualMachinePreference or VirtualMachineClusterPreference + to be used. This is initially captured the first time the instancetype + is applied to the VirtualMachineInstance. + type: string + type: object + runStrategy: + description: Running state indicates the requested running state of + the VirtualMachineInstance mutually exclusive with Running + type: string + running: + description: Running controls whether the associatied VirtualMachineInstance + is created or not Mutually exclusive with RunStrategy + type: boolean + template: + description: Template is the direct specification of VirtualMachineInstance + properties: + metadata: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + spec: + description: VirtualMachineInstance Spec contains the VirtualMachineInstance + specification. + properties: + accessCredentials: + description: Specifies a set of public keys to inject into + the vm guest + items: + description: AccessCredential represents a credential source + that can be used to authorize remote access to the vm + guest Only one of its members may be specified. + properties: + sshPublicKey: + description: SSHPublicKey represents the source and + method of applying a ssh public key into a guest virtual + machine. + properties: + propagationMethod: + description: PropagationMethod represents how the + public key is injected into the vm guest. + properties: + configDrive: + description: ConfigDrivePropagation means that + the ssh public keys are injected into the + VM using metadata using the configDrive cloud-init + provider + type: object + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means ssh public keys are dynamically injected + into the vm at runtime via the qemu guest + agent. This feature requires the qemu guest + agent to be running within the guest. + properties: + users: + description: Users represents a list of + guest users that should have the ssh public + keys added to their authorized_keys file. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - users + type: object + type: object + source: + description: Source represents where the public + keys are pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name + of the secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + userPassword: + description: UserPassword represents the source and + method for applying a guest user's password + properties: + propagationMethod: + description: propagationMethod represents how the + user passwords are injected into the vm guest. + properties: + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means passwords are dynamically injected into + the vm at runtime via the qemu guest agent. + This feature requires the qemu guest agent + to be running within the guest. + type: object + type: object + source: + description: Source represents where the user passwords + are pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name + of the secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + type: object + type: array + x-kubernetes-list-type: atomic + affinity: + description: If affinity is specifies, obey all the affinity + rules + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + This field is beta-level and is only honored + when PodAffinityNamespaceSelector feature + is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. This + field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + This field is beta-level and is only honored + when PodAffinityNamespaceSelector feature + is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. This + field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters + specified here will be merged to the generated DNS configuration + based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This + will be appended to the base nameservers generated from + DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will + be merged with the base options generated from DNSPolicy. + Duplicated entries will be removed. Resolution options + given in Options will override those that appear in + the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search paths + generated from DNSPolicy. Duplicated search paths will + be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', + 'Default' or 'None'. DNS parameters given in DNSConfig will + be merged with the policy selected with DNSPolicy. To have + DNS options set along with hostNetwork, you have to specify + DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + domain: + description: Specification of the desired behavior of the + VirtualMachineInstance on the host. + properties: + chassis: + description: Chassis specifies the chassis info passed + to the domain. + properties: + asset: + type: string + manufacturer: + type: string + serial: + type: string + sku: + type: string + version: + type: string + type: object + clock: + description: Clock sets the clock and timers of the vmi. + properties: + timer: + description: Timer specifies whih timers are attached + to the vmi. + properties: + hpet: + description: HPET (High Precision Event Timer) + - multiple timers with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens + when QEMU misses a deadline for injecting + a tick to the guest. One of "delay", "catchup", + "merge", "discard". + type: string + type: object + hyperv: + description: Hyperv (Hypervclock) - lets guests + read the host’s wall clock time (paravirtualized). + For windows guests. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + type: object + kvm: + description: "KVM \t(KVM clock) - lets guests + read the host’s wall clock time (paravirtualized). + For linux guests." + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + type: object + pit: + description: PIT (Programmable Interval Timer) + - a timer with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens + when QEMU misses a deadline for injecting + a tick to the guest. One of "delay", "catchup", + "discard". + type: string + type: object + rtc: + description: RTC (Real Time Clock) - a continuously + running timer with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens + when QEMU misses a deadline for injecting + a tick to the guest. One of "delay", "catchup". + type: string + track: + description: Track the guest or the wall clock. + type: string + type: object + type: object + timezone: + description: Timezone sets the guest clock to the + specified timezone. Zone name follows the TZ environment + variable format (e.g. 'America/New_York'). + type: string + utc: + description: UTC sets the guest clock to UTC on each + boot. If an offset is specified, guest changes to + the clock will be kept during reboots and are not + reset. + properties: + offsetSeconds: + description: OffsetSeconds specifies an offset + in seconds, relative to UTC. If set, guest changes + to the clock will be kept during reboots and + not reset. + type: integer + type: object + type: object + cpu: + description: CPU allow specified the detailed CPU topology + inside the vmi. + properties: + cores: + description: Cores specifies the number of cores inside + the vmi. Must be a value greater or equal 1. + format: int32 + type: integer + dedicatedCpuPlacement: + description: DedicatedCPUPlacement requests the scheduler + to place the VirtualMachineInstance on a node with + enough dedicated pCPUs and pin the vCPUs to it. + type: boolean + features: + description: Features specifies the CPU features list + inside the VMI. + items: + description: CPUFeature allows specifying a CPU + feature. + properties: + name: + description: Name of the CPU feature + type: string + policy: + description: 'Policy is the CPU feature attribute + which can have the following attributes: force - + The virtual CPU will claim the feature is + supported regardless of it being supported + by host CPU. require - Guest creation will + fail unless the feature is supported by the + host CPU or the hypervisor is able to emulate + it. optional - The feature will be supported + by virtual CPU if and only if it is supported + by host CPU. disable - The feature will not + be supported by virtual CPU. forbid - Guest + creation will fail if the feature is supported + by host CPU. Defaults to require' + type: string + required: + - name + type: object + type: array + isolateEmulatorThread: + description: IsolateEmulatorThread requests one more + dedicated pCPU to be allocated for the VMI to place + the emulator thread on it. + type: boolean + model: + description: Model specifies the CPU model inside + the VMI. List of available models https://github.com/libvirt/libvirt/tree/master/src/cpu_map. + It is possible to specify special cases like "host-passthrough" + to get the same CPU as the node and "host-model" + to get CPU closest to the node one. Defaults to + host-model. + type: string + numa: + description: NUMA allows specifying settings for the + guest NUMA topology + properties: + guestMappingPassthrough: + description: GuestMappingPassthrough will create + an efficient guest topology based on host CPUs + exclusively assigned to a pod. The created topology + ensures that memory and CPUs on the virtual + numa nodes never cross boundaries of host numa + nodes. + type: object + type: object + realtime: + description: Realtime instructs the virt-launcher + to tune the VMI for lower latency, optional for + real time workloads + properties: + mask: + description: 'Mask defines the vcpu mask expression + that defines which vcpus are used for realtime. + Format matches libvirt''s expressions. Example: + "0-3,^1","0,2,3","2-3"' + type: string + type: object + sockets: + description: Sockets specifies the number of sockets + inside the vmi. Must be a value greater or equal + 1. + format: int32 + type: integer + threads: + description: Threads specifies the number of threads + inside the vmi. Must be a value greater or equal + 1. + format: int32 + type: integer + type: object + devices: + description: Devices allows adding disks, network interfaces, + and others + properties: + autoattachGraphicsDevice: + description: Whether to attach the default graphics + device or not. VNC will not be available if set + to false. Defaults to true. + type: boolean + autoattachInputDevice: + description: Whether to attach an Input Device. Defaults + to false. + type: boolean + autoattachMemBalloon: + description: Whether to attach the Memory balloon + device with default period. Period can be adjusted + in virt-config. Defaults to true. + type: boolean + autoattachPodInterface: + description: Whether to attach a pod network interface. + Defaults to true. + type: boolean + autoattachSerialConsole: + description: Whether to attach the default serial + console or not. Serial console access will not be + available if set to false. Defaults to true. + type: boolean + autoattachVSOCK: + description: Whether to attach the VSOCK CID to the + VM or not. VSOCK access will be available if set + to true. Defaults to false. + type: boolean + blockMultiQueue: + description: Whether or not to enable virtio multi-queue + for block devices. Defaults to false. + type: boolean + clientPassthrough: + description: To configure and access client devices + such as redirecting USB + type: object + disableHotplug: + description: DisableHotplug disabled the ability to + hotplug disks. + type: boolean + disks: + description: Disks describes disks, cdroms and luns + which are connected to the vmi. + items: + properties: + blockSize: + description: If specified, the virtual disk + will be presented with the given block sizes. + properties: + custom: + description: CustomBlockSize represents + the desired logical and physical block + size for a VM disk. + properties: + logical: + type: integer + physical: + type: integer + required: + - logical + - physical + type: object + matchVolume: + description: Represents if a feature is + enabled or disabled. + properties: + enabled: + description: Enabled determines if the + feature should be enabled or disabled + on the guest. Defaults to true. + type: boolean + type: object + type: object + bootOrder: + description: BootOrder is an integer value > + 0, used to determine ordering of boot devices. + Lower values take precedence. Each disk or + interface that has a boot order must have + a unique value. Disks without a boot order + are not tried if a disk with a boot order + exists. + type: integer + cache: + description: 'Cache specifies which kvm disk + cache mode should be used. Supported values + are: CacheNone, CacheWriteThrough.' + type: string + cdrom: + description: Attach a volume as a cdrom to the + vmi. + properties: + bus: + description: 'Bus indicates the type of + disk device to emulate. supported values: + virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to true. + type: boolean + tray: + description: Tray indicates if the tray + of the device is open or closed. Allowed + values are "open" and "closed". Defaults + to closed. + type: string + type: object + dedicatedIOThread: + description: dedicatedIOThread indicates this + disk should have an exclusive IO Thread. Enabling + this implies useIOThreads = true. Defaults + to false. + type: boolean + disk: + description: Attach a volume as a disk to the + vmi. + properties: + bus: + description: 'Bus indicates the type of + disk device to emulate. supported values: + virtio, sata, scsi, usb.' + type: string + pciAddress: + description: 'If specified, the virtual + disk will be placed on the guests pci + address with the specified PCI address. + For example: 0000:81:01.10' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + io: + description: 'IO specifies which QEMU disk IO + mode should be used. Supported values are: + native, default, threads.' + type: string + lun: + description: Attach a volume as a LUN to the + vmi. + properties: + bus: + description: 'Bus indicates the type of + disk device to emulate. supported values: + virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + name: + description: Name is the device name + type: string + serial: + description: Serial provides the ability to + specify a serial number for the disk device. + type: string + shareable: + description: If specified the disk is made sharable + and multiple write from different VMs are + permitted + type: boolean + tag: + description: If specified, disk address and + its tag will be provided to the guest via + config drive metadata + type: string + required: + - name + type: object + type: array + filesystems: + description: Filesystems describes filesystem which + is connected to the vmi. + items: + properties: + name: + description: Name is the device name + type: string + virtiofs: + description: Virtiofs is supported + type: object + required: + - name + - virtiofs + type: object + type: array + x-kubernetes-list-type: atomic + gpus: + description: Whether to attach a GPU device to the + vmi. + items: + properties: + deviceName: + type: string + name: + description: Name of the GPU device as exposed + by a device plugin + type: string + tag: + description: If specified, the virtual network + interface address and its tag will be provided + to the guest via config drive + type: string + virtualGPUOptions: + properties: + display: + properties: + enabled: + description: Enabled determines if a + display addapter backed by a vGPU + should be enabled or disabled on the + guest. Defaults to true. + type: boolean + ramFB: + description: Enables a boot framebuffer, + until the guest OS loads a real GPU + driver Defaults to true. + properties: + enabled: + description: Enabled determines + if the feature should be enabled + or disabled on the guest. Defaults + to true. + type: boolean + type: object + type: object + type: object + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + hostDevices: + description: Whether to attach a host device to the + vmi. + items: + properties: + deviceName: + description: DeviceName is the resource name + of the host device exposed by a device plugin + type: string + name: + type: string + tag: + description: If specified, the virtual network + interface address and its tag will be provided + to the guest via config drive + type: string + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + inputs: + description: Inputs describe input devices + items: + properties: + bus: + description: 'Bus indicates the bus of input + device to emulate. Supported values: virtio, + usb.' + type: string + name: + description: Name is the device name + type: string + type: + description: 'Type indicated the type of input + device. Supported values: tablet.' + type: string + required: + - name + - type + type: object + type: array + interfaces: + description: Interfaces describe network interfaces + which are added to the vmi. + items: + properties: + acpiIndex: + description: If specified, the ACPI index is + used to provide network interface device naming, + that is stable across changes in PCI addresses + assigned to the device. This value is required + to be unique across all devices and be between + 1 and (16*1024-1). + type: integer + bootOrder: + description: BootOrder is an integer value > + 0, used to determine ordering of boot devices. + Lower values take precedence. Each interface + or disk that has a boot order must have a + unique value. Interfaces without a boot order + are not tried. + type: integer + bridge: + description: InterfaceBridge connects to a given + network via a linux bridge. + type: object + dhcpOptions: + description: If specified the network interface + will pass additional DHCP options to the VMI + properties: + bootFileName: + description: If specified will pass option + 67 to interface's DHCP server + type: string + ntpServers: + description: If specified will pass the + configured NTP server to the VM via DHCP + option 042. + items: + type: string + type: array + privateOptions: + description: 'If specified will pass extra + DHCP options for private use, range: 224-254' + items: + description: DHCPExtraOptions defines + Extra DHCP options for a VM. + properties: + option: + description: Option is an Integer + value from 224-254 Required. + type: integer + value: + description: Value is a String value + for the Option provided Required. + type: string + required: + - option + - value + type: object + type: array + tftpServerName: + description: If specified will pass option + 66 to interface's DHCP server + type: string + type: object + macAddress: + description: 'Interface MAC address. For example: + de:ad:00:00:be:af or DE-AD-00-00-BE-AF.' + type: string + macvtap: + description: InterfaceMacvtap connects to a + given network by extending the Kubernetes + node's L2 networks via a macvtap interface. + type: object + masquerade: + description: InterfaceMasquerade connects to + a given network using netfilter rules to nat + the traffic. + type: object + model: + description: 'Interface model. One of: e1000, + e1000e, ne2k_pci, pcnet, rtl8139, virtio. + Defaults to virtio. TODO:(ihar) switch to + enums once opengen-api supports them. See: + https://github.com/kubernetes/kube-openapi/issues/51' + type: string + name: + description: Logical name of the interface as + well as a reference to the associated networks. + Must match the Name of a Network. + type: string + passt: + description: InterfacePasst connects to a given + network. + type: object + pciAddress: + description: 'If specified, the virtual network + interface will be placed on the guests pci + address with the specified PCI address. For + example: 0000:81:01.10' + type: string + ports: + description: List of ports to be forwarded to + the virtual machine. + items: + description: Port represents a port to expose + from the virtual machine. Default protocol + TCP. The port field is mandatory + properties: + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + port: + description: Number of port to expose + for the virtual machine. This must be + a valid port number, 0 < x < 65536. + format: int32 + type: integer + protocol: + description: Protocol for port. Must be + UDP or TCP. Defaults to "TCP". + type: string + required: + - port + type: object + type: array + slirp: + description: InterfaceSlirp connects to a given + network using QEMU user networking mode. + type: object + sriov: + description: InterfaceSRIOV connects to a given + network by passing-through an SR-IOV PCI device + via vfio. + type: object + tag: + description: If specified, the virtual network + interface address and its tag will be provided + to the guest via config drive + type: string + required: + - name + type: object + type: array + networkInterfaceMultiqueue: + description: If specified, virtual network interfaces + configured with a virtio bus will also enable the + vhost multiqueue feature for network devices. The + number of queues created depends on additional factors + of the VirtualMachineInstance, like the number of + guest CPUs. + type: boolean + rng: + description: Whether to have random number generator + from host + type: object + sound: + description: Whether to emulate a sound device. + properties: + model: + description: 'We only support ich9 or ac97. If + SoundDevice is not set: No sound card is emulated. + If SoundDevice is set but Model is not: ich9' + type: string + name: + description: User's defined name for this sound + device + type: string + required: + - name + type: object + tpm: + description: Whether to emulate a TPM device. + type: object + useVirtioTransitional: + description: Fall back to legacy virtio 0.9 support + if virtio bus is selected on devices. This is helpful + for old machines like CentOS6 or RHEL6 which do + not understand virtio_non_transitional (virtio 1.0). + type: boolean + watchdog: + description: Watchdog describes a watchdog device + which can be added to the vmi. + properties: + i6300esb: + description: i6300esb watchdog device. + properties: + action: + description: The action to take. Valid values + are poweroff, reset, shutdown. Defaults + to reset. + type: string + type: object + name: + description: Name of the watchdog. + type: string + required: + - name + type: object + type: object + features: + description: Features like acpi, apic, hyperv, smm. + properties: + acpi: + description: ACPI enables/disables ACPI inside the + guest. Defaults to enabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + apic: + description: Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + endOfInterrupt: + description: EndOfInterrupt enables the end of + interrupt notification in the guest. Defaults + to false. + type: boolean + type: object + hyperv: + description: Defaults to the machine type setting. + properties: + evmcs: + description: EVMCS Speeds up L2 vmexits, but disables + other virtualization features. Requires vapic. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + frequencies: + description: Frequencies improves the TSC clock + source handling for Hyper-V on KVM. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + ipi: + description: IPI improves performances in overcommited + environments. Requires vpindex. Defaults to + the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + reenlightenment: + description: Reenlightenment enables the notifications + on TSC frequency changes. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + relaxed: + description: Relaxed instructs the guest OS to + disable watchdog timeouts. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + reset: + description: Reset enables Hyperv reboot/reset + for the vmi. Requires synic. Defaults to the + machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + runtime: + description: Runtime improves the time accounting + to improve scheduling in the guest. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + spinlocks: + description: Spinlocks allows to configure the + spinlock retry attempts. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + spinlocks: + description: Retries indicates the number + of retries. Must be a value greater or equal + 4096. Defaults to 4096. + format: int32 + type: integer + type: object + synic: + description: SyNIC enables the Synthetic Interrupt + Controller. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + synictimer: + description: SyNICTimer enables Synthetic Interrupt + Controller Timers, reducing CPU load. Defaults + to the machine type setting. + properties: + direct: + description: Represents if a feature is enabled + or disabled. + properties: + enabled: + description: Enabled determines if the + feature should be enabled or disabled + on the guest. Defaults to true. + type: boolean + type: object + enabled: + type: boolean + type: object + tlbflush: + description: TLBFlush improves performances in + overcommited environments. Requires vpindex. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + vapic: + description: VAPIC improves the paravirtualized + handling of interrupts. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + vendorid: + description: VendorID allows setting the hypervisor + vendor id. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + vendorid: + description: VendorID sets the hypervisor + vendor id, visible to the vmi. String up + to twelve characters. + type: string + type: object + vpindex: + description: VPIndex enables the Virtual Processor + Index to help windows identifying virtual processors. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + kvm: + description: Configure how KVM presence is exposed + to the guest. + properties: + hidden: + description: Hide the KVM hypervisor from standard + MSR based discovery. Defaults to false + type: boolean + type: object + pvspinlock: + description: Notify the guest that the host supports + paravirtual spinlocks. For older kernels this feature + should be explicitly disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + smm: + description: SMM enables/disables System Management + Mode. TSEG not yet implemented. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + firmware: + description: Firmware. + properties: + bootloader: + description: Settings to control the bootloader that + is used. + properties: + bios: + description: If set (default), BIOS will be used. + properties: + useSerial: + description: If set, the BIOS output will + be transmitted over serial + type: boolean + type: object + efi: + description: If set, EFI will be used instead + of BIOS. + properties: + secureBoot: + description: If set, SecureBoot will be enabled + and the OVMF roms will be swapped for SecureBoot-enabled + ones. Requires SMM to be enabled. Defaults + to true + type: boolean + type: object + type: object + kernelBoot: + description: Settings to set the kernel for booting. + properties: + container: + description: Container defines the container that + containes kernel artifacts + properties: + image: + description: Image that contains initrd / + kernel files. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always + if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: + https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of + the Docker registry secret required to pull + the image. The secret must already exist. + type: string + initrdPath: + description: the fully-qualified path to the + ramdisk image in the host OS + type: string + kernelPath: + description: The fully-qualified path to the + kernel image in the host OS + type: string + required: + - image + type: object + kernelArgs: + description: Arguments to be passed to the kernel + at boot time + type: string + type: object + serial: + description: The system-serial-number in SMBIOS + type: string + uuid: + description: UUID reported by the vmi bios. Defaults + to a random generated uid. + type: string + type: object + ioThreadsPolicy: + description: 'Controls whether or not disks will share + IOThreads. Omitting IOThreadsPolicy disables use of + IOThreads. One of: shared, auto' + type: string + launchSecurity: + description: Launch Security setting of the vmi. + properties: + sev: + description: AMD Secure Encrypted Virtualization (SEV). + type: object + type: object + machine: + description: Machine type. + properties: + type: + description: QEMU machine type is the actual chipset + of the VirtualMachineInstance. + type: string + type: object + memory: + description: Memory allow specifying the VMI memory features. + properties: + guest: + anyOf: + - type: integer + - type: string + description: Guest allows to specifying the amount + of memory which is visible inside the Guest OS. + The Guest must lie between Requests and Limits from + the resources section. Defaults to the requested + memory in the resources section if not specified. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + hugepages: + description: Hugepages allow to use hugepages for + the VirtualMachineInstance instead of regular memory. + properties: + pageSize: + description: PageSize specifies the hugepage size, + for x86_64 architecture valid values are 1Gi + and 2Mi. + type: string + type: object + type: object + resources: + description: Resources describes the Compute Resources + required by this vmi. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Limits describes the maximum amount of + compute resources allowed. Valid resource keys are + "memory" and "cpu". + type: object + overcommitGuestOverhead: + description: Don't ask the scheduler to take the guest-management + overhead into account. Instead put the overhead + only into the container's memory limit. This can + lead to crashes if all memory is in use on a node. + Defaults to false. + type: boolean + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Requests is a description of the initial + vmi resources. Valid resource keys are "memory" + and "cpu". + type: object + type: object + required: + - devices + type: object + evictionStrategy: + description: EvictionStrategy can be set to "LiveMigrate" + if the VirtualMachineInstance should be migrated instead + of shut-off in case of a node drain. + type: string + hostname: + description: Specifies the hostname of the vmi If not specified, + the hostname will be set to the name of the vmi, if dhcp + or cloud-init is configured properly. + type: string + livenessProbe: + description: 'Periodic probe of VirtualMachineInstance liveness. + VirtualmachineInstances will be stopped if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should + be specified. Exec specifies the action to take, it + will be executed on the guest through the qemu-guest-agent. + If the guest agent is not available, this probe will + fail. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent + for availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving + a TCP port. TCP hooks not yet supported TODO: implement + a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. For exec probes the timeout fails the probe + but does not terminate the command running on the guest. + This means a blocking command can result in an increasing + load on the guest. A small buffer will be added to the + resulting workload exec probe to compensate for delays + caused by the qemu guest exec mechanism. Defaults to + 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + networks: + description: List of networks that can be attached to a vm's + virtual interface. + items: + description: Network represents a network type and a resource + that should be connected to the vm. + properties: + multus: + description: Represents the multus cni network. + properties: + default: + description: Select the default network and add + it to the multus-cni.io/default-network annotation. + type: boolean + networkName: + description: 'References to a NetworkAttachmentDefinition + CRD object. Format: , /. + If namespace is not specified, VMI namespace is + assumed.' + type: string + required: + - networkName + type: object + name: + description: 'Network name. Must be a DNS_LABEL and + unique within the vm. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pod: + description: Represents the stock pod network interface. + properties: + vmIPv6NetworkCIDR: + description: IPv6 CIDR for the vm network. Defaults + to fd10:0:2::/120 if not specified. + type: string + vmNetworkCIDR: + description: CIDR for vm network. Default 10.0.2.0/24 + if not specified. + type: string + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true + for the vmi to fit on a node. Selector which must match + a node''s labels for the vmi to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, indicates the pod's priority. If + not specified, the pod priority will be default or zero + if there is no default. + type: string + readinessProbe: + description: 'Periodic probe of VirtualMachineInstance service + readiness. VirtualmachineInstances will be removed from + service endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should + be specified. Exec specifies the action to take, it + will be executed on the guest through the qemu-guest-agent. + If the guest agent is not available, this probe will + fail. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent + for availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving + a TCP port. TCP hooks not yet supported TODO: implement + a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. For exec probes the timeout fails the probe + but does not terminate the command running on the guest. + This means a blocking command can result in an increasing + load on the guest. A small buffer will be added to the + resulting workload exec probe to compensate for delays + caused by the qemu guest exec mechanism. Defaults to + 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + schedulerName: + description: If specified, the VMI will be dispatched by specified + scheduler. If not specified, the VMI will be dispatched + by default scheduler. + type: string + startStrategy: + description: StartStrategy can be set to "Paused" if Virtual + Machine should be started in paused state. + type: string + subdomain: + description: If specified, the fully qualified vmi hostname + will be "...svc.". If not specified, the vmi will not have a domainname + at all. The DNS entry will resolve to the vmi, no matter + if the vmi itself can pick up a hostname. + type: string + terminationGracePeriodSeconds: + description: Grace period observed after signalling a VirtualMachineInstance + to stop after which the VirtualMachineInstance is force + terminated. + format: int64 + type: integer + tolerations: + description: If toleration is specified, obey all the toleration + rules. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group + of VMIs will be spread across a given topology domains. + K8s scheduler will schedule VMI pods in a way which abides + by the constraints. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When ''whenUnsatisfiable=DoNotSchedule'', + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | + - if MaxSkew is 1, incoming pod can only be scheduled + to zone3 to become 1/1/1; scheduling it onto zone1(zone2) + would make the ActualSkew(2-0) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be + scheduled onto any zone. When ''whenUnsatisfiable=ScheduleAnyway'', + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default value + is 1 and 0 is not allowed.' + format: int32 + type: integer + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and try + to put balanced number of pods into each bucket. It's + a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving + higher precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P + | P | P | If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make + it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: List of volumes that can be mounted by disks + belonging to the vmi. + items: + description: Volume represents a named volume in a vmi. + properties: + cloudInitConfigDrive: + description: 'CloudInitConfigDrive represents a cloud-init + Config Drive user-data source. The Config Drive data + will be added as a disk to the vmi. A proper cloud-init + installation is required inside the guest. More info: + https://cloudinit.readthedocs.io/en/latest/topics/datasources/configdrive.html' + properties: + networkData: + description: NetworkData contains config drive inline + cloud-init networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains config drive + cloud-init networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s + secret that contains config drive networkdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s + secret that contains config drive userdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + userData: + description: UserData contains config drive inline + cloud-init userdata. + type: string + userDataBase64: + description: UserDataBase64 contains config drive + cloud-init userdata as a base64 encoded string. + type: string + type: object + cloudInitNoCloud: + description: 'CloudInitNoCloud represents a cloud-init + NoCloud user-data source. The NoCloud data will be + added as a disk to the vmi. A proper cloud-init installation + is required inside the guest. More info: http://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html' + properties: + networkData: + description: NetworkData contains NoCloud inline + cloud-init networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains NoCloud + cloud-init networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s + secret that contains NoCloud networkdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s + secret that contains NoCloud userdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + userData: + description: UserData contains NoCloud inline cloud-init + userdata. + type: string + userDataBase64: + description: UserDataBase64 contains NoCloud cloud-init + userdata as a base64 encoded string. + type: string + type: object + configMap: + description: 'ConfigMapSource represents a reference + to a ConfigMap in the same namespace. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or it's + keys must be defined + type: boolean + volumeLabel: + description: The volume label of the resulting disk + inside the VMI. Different bootstrapping mechanisms + require different values. Typical values are "cidata" + (cloud-init), "config-2" (cloud-init) or "OEMDRV" + (kickstart). + type: string + type: object + containerDisk: + description: 'ContainerDisk references a docker image, + embedding a qcow or raw disk. More info: https://kubevirt.gitbooks.io/user-guide/registry-disk.html' + properties: + image: + description: Image is the name of the image with + the embedded disk. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of the + Docker registry secret required to pull the image. + The secret must already exist. + type: string + path: + description: Path defines the path to disk file + in the container + type: string + required: + - image + type: object + dataVolume: + description: DataVolume represents the dynamic creation + a PVC for this volume as well as the process of populating + that PVC with a disk image. + properties: + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + name: + description: Name of both the DataVolume and the + PVC in the same namespace. After PVC population + the DataVolume is garbage collected by default. + type: string + required: + - name + type: object + downwardAPI: + description: DownwardAPI represents downward API about + the pod that should populate this volume + properties: + fields: + description: Fields is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + mode: + description: 'Optional: mode bits used to + set permissions on this file, must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both + octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + volumeLabel: + description: The volume label of the resulting disk + inside the VMI. Different bootstrapping mechanisms + require different values. Typical values are "cidata" + (cloud-init), "config-2" (cloud-init) or "OEMDRV" + (kickstart). + type: string + type: object + downwardMetrics: + description: DownwardMetrics adds a very small disk + to VMIs which contains a limited view of host and + guest metrics. The disk content is compatible with + vhostmd (https://github.com/vhostmd/vhostmd) and vm-dump-metrics. + type: object + emptyDisk: + description: 'EmptyDisk represents a temporary disk + which shares the vmis lifecycle. More info: https://kubevirt.gitbooks.io/user-guide/disks-and-volumes.html' + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - capacity + type: object + ephemeral: + description: Ephemeral is a special volume source that + "wraps" specified source and provides copy-on-write + image on top of it. + properties: + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. Directly attached to the + vmi via qemu. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: Will force the ReadOnly setting + in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + type: object + hostDisk: + description: HostDisk represents a disk created on the + cluster level + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + path: + description: The path to HostDisk image located + on the cluster + type: string + shared: + description: Shared indicate whether the path is + shared between nodes + type: boolean + type: + description: Contains information if disk.img exists + or should be created allowed options are 'Disk' + and 'DiskOrCreate' + type: string + required: + - path + - type + type: object + memoryDump: + description: MemoryDump is attached to the virt launcher + and is populated with a memory dump of the vmi + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + name: + description: 'Volume''s name. Must be a DNS_LABEL and + unique within the vmi. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. Directly attached to the vmi via qemu. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + secret: + description: 'SecretVolumeSource represents a reference + to a secret data in the same namespace. More info: + https://kubernetes.io/docs/concepts/configuration/secret/' + properties: + optional: + description: Specify whether the Secret or it's + keys must be defined + type: boolean + secretName: + description: 'Name of the secret in the pod''s namespace + to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + volumeLabel: + description: The volume label of the resulting disk + inside the VMI. Different bootstrapping mechanisms + require different values. Typical values are "cidata" + (cloud-init), "config-2" (cloud-init) or "OEMDRV" + (kickstart). + type: string + type: object + serviceAccount: + description: 'ServiceAccountVolumeSource represents + a reference to a service account. There can only be + one volume of this type! More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + properties: + serviceAccountName: + description: 'Name of the service account in the + pod''s namespace to use. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + type: object + sysprep: + description: Represents a Sysprep volume source. + properties: + configMap: + description: ConfigMap references a ConfigMap that + contains Sysprep answer file named autounattend.xml + that should be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + secret: + description: Secret references a k8s Secret that + contains Sysprep answer file named autounattend.xml + that should be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + type: object + required: + - name + type: object + type: array + required: + - domain + type: object + type: object + required: + - template + type: object + status: + description: Status holds the current state of the controller and brief + information about its associated VirtualMachineInstance + properties: + conditions: + description: Hold the state information of the VirtualMachine and + its VirtualMachineInstance + items: + description: VirtualMachineCondition represents the state of VirtualMachine + properties: + lastProbeTime: + format: date-time + nullable: true + type: string + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + created: + description: Created indicates if the virtual machine is created in + the cluster + type: boolean + memoryDumpRequest: + description: MemoryDumpRequest tracks memory dump request phase and + info of getting a memory dump to the given pvc + nullable: true + properties: + claimName: + description: ClaimName is the name of the pvc that will contain + the memory dump + type: string + endTimestamp: + description: EndTimestamp represents the time the memory dump + was completed + format: date-time + type: string + fileName: + description: FileName represents the name of the output file + type: string + message: + description: Message is a detailed message about failure of the + memory dump + type: string + phase: + description: Phase represents the memory dump phase + type: string + remove: + description: Remove represents request of dissociating the memory + dump pvc + type: boolean + startTimestamp: + description: StartTimestamp represents the time the memory dump + started + format: date-time + type: string + required: + - claimName + - phase + type: object + printableStatus: + description: PrintableStatus is a human readable, high-level representation + of the status of the virtual machine + type: string + ready: + description: Ready indicates if the virtual machine is running and + ready + type: boolean + restoreInProgress: + description: RestoreInProgress is the name of the VirtualMachineRestore + currently executing + type: string + snapshotInProgress: + description: SnapshotInProgress is the name of the VirtualMachineSnapshot + currently executing + type: string + startFailure: + description: StartFailure tracks consecutive VMI startup failures + for the purposes of crash loop backoffs + nullable: true + properties: + consecutiveFailCount: + type: integer + lastFailedVMIUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias to + string. Being a type captures intent and helps make sure that + UIDs and names do not get conflated. + type: string + retryAfterTimestamp: + format: date-time + type: string + type: object + stateChangeRequests: + description: StateChangeRequests indicates a list of actions that + should be taken on a VMI e.g. stop a specific VMI then start a new + one. + items: + properties: + action: + description: Indicates the type of action that is requested. + e.g. Start or Stop + type: string + data: + additionalProperties: + type: string + description: Provides additional data in order to perform the + Action + type: object + uid: + description: Indicates the UUID of an existing Virtual Machine + Instance that this change request applies to -- if applicable + type: string + required: + - action + type: object + type: array + volumeRequests: + description: VolumeRequests indicates a list of volumes add or remove + from the VMI template and hotplug on an active running VMI. + items: + properties: + addVolumeOptions: + description: AddVolumeOptions when set indicates a volume should + be added. The details within this field specify how to add + the volume + properties: + disk: + description: Disk represents the hotplug disk that will + be plugged into the running VMI + properties: + blockSize: + description: If specified, the virtual disk will be + presented with the given block sizes. + properties: + custom: + description: CustomBlockSize represents the desired + logical and physical block size for a VM disk. + properties: + logical: + type: integer + physical: + type: integer + required: + - logical + - physical + type: object + matchVolume: + description: Represents if a feature is enabled + or disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + bootOrder: + description: BootOrder is an integer value > 0, used + to determine ordering of boot devices. Lower values + take precedence. Each disk or interface that has a + boot order must have a unique value. Disks without + a boot order are not tried if a disk with a boot order + exists. + type: integer + cache: + description: 'Cache specifies which kvm disk cache mode + should be used. Supported values are: CacheNone, CacheWriteThrough.' + type: string + cdrom: + description: Attach a volume as a cdrom to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to true. + type: boolean + tray: + description: Tray indicates if the tray of the device + is open or closed. Allowed values are "open" and + "closed". Defaults to closed. + type: string + type: object + dedicatedIOThread: + description: dedicatedIOThread indicates this disk should + have an exclusive IO Thread. Enabling this implies + useIOThreads = true. Defaults to false. + type: boolean + disk: + description: Attach a volume as a disk to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi, + usb.' + type: string + pciAddress: + description: 'If specified, the virtual disk will + be placed on the guests pci address with the specified + PCI address. For example: 0000:81:01.10' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + io: + description: 'IO specifies which QEMU disk IO mode should + be used. Supported values are: native, default, threads.' + type: string + lun: + description: Attach a volume as a LUN to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + name: + description: Name is the device name + type: string + serial: + description: Serial provides the ability to specify + a serial number for the disk device. + type: string + shareable: + description: If specified the disk is made sharable + and multiple write from different VMs are permitted + type: boolean + tag: + description: If specified, disk address and its tag + will be provided to the guest via config drive metadata + type: string + required: + - name + type: object + dryRun: + description: 'When present, indicates that modifications + should not be persisted. An invalid or unrecognized dryRun + directive will result in an error response and no further + processing of the request. Valid values are: - All: all + dry run stages will be processed' + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: Name represents the name that will be used + to map the disk to the corresponding volume. This overrides + any name set inside the Disk struct itself. + type: string + volumeSource: + description: VolumeSource represents the source of the volume + to map to the disk. + properties: + dataVolume: + description: DataVolume represents the dynamic creation + a PVC for this volume as well as the process of populating + that PVC with a disk image. + properties: + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + name: + description: Name of both the DataVolume and the + PVC in the same namespace. After PVC population + the DataVolume is garbage collected by default. + type: string + required: + - name + type: object + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. Directly attached to the vmi via qemu. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + type: object + required: + - disk + - name + - volumeSource + type: object + removeVolumeOptions: + description: RemoveVolumeOptions when set indicates a volume + should be removed. The details within this field specify how + to add the volume + properties: + dryRun: + description: 'When present, indicates that modifications + should not be persisted. An invalid or unrecognized dryRun + directive will result in an error response and no further + processing of the request. Valid values are: - All: all + dry run stages will be processed' + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: Name represents the name that maps to both + the disk and volume that should be removed + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + volumeSnapshotStatuses: + description: VolumeSnapshotStatuses indicates a list of statuses whether + snapshotting is supported by each volume. + items: + properties: + enabled: + description: True if the volume supports snapshotting + type: boolean + name: + description: Volume name + type: string + reason: + description: Empty if snapshotting is enabled, contains reason + otherwise + type: string + required: + - enabled + - name + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Human Readable Status + jsonPath: .status.printableStatus + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: VirtualMachine handles the VirtualMachines that are not running + or are in a stopped state The VirtualMachine contains the template to create + the VirtualMachineInstance. It also mirrors the running state of the created + VirtualMachineInstance in its status. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec contains the specification of VirtualMachineInstance + created + properties: + dataVolumeTemplates: + description: dataVolumeTemplates is a list of dataVolumes that the + VirtualMachineInstance template can reference. DataVolumes in this + list are dynamically created for the VirtualMachine and are tied + to the VirtualMachine's life-cycle. + items: + nullable: true + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + spec: + description: DataVolumeSpec contains the DataVolume specification. + properties: + checkpoints: + description: Checkpoints is a list of DataVolumeCheckpoints, + representing stages in a multistage import. + items: + description: DataVolumeCheckpoint defines a stage in a + warm migration. + properties: + current: + description: Current is the identifier of the snapshot + created for this checkpoint. + type: string + previous: + description: Previous is the identifier of the snapshot + from the previous checkpoint. + type: string + required: + - current + - previous + type: object + type: array + contentType: + description: 'DataVolumeContentType options: "kubevirt", + "archive"' + enum: + - kubevirt + - archive + type: string + finalCheckpoint: + description: FinalCheckpoint indicates whether the current + DataVolumeCheckpoint is the final checkpoint. + type: boolean + preallocation: + description: Preallocation controls whether storage for + DataVolumes should be allocated in advance. + type: boolean + priorityClassName: + description: PriorityClassName for Importer, Cloner and + Uploader pod + type: string + pvc: + description: PVC is the PVC specification + properties: + accessModes: + description: 'AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'This field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) If the provisioner + or an external controller can support the specified + data source, it will create a new volume based on + the contents of the specified data source. If the + AnyVolumeDataSource feature gate is enabled, this + field will always have the same contents as the DataSourceRef + field.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + dataSourceRef: + description: 'Specifies the object from which to populate + the volume with data, if a non-empty volume is desired. + This may be any local object from a non-empty API + group (non core object) or a PersistentVolumeClaim + object. When this field is specified, volume binding + will only succeed if the type of the specified object + matches some installed volume populator or dynamic + provisioner. This field will replace the functionality + of the DataSource field and as such if both fields + are non-empty, they must have the same value. For + backwards compatibility, both fields (DataSource and + DataSourceRef) will be set to the same value automatically + if one of them is empty and the other is non-empty. + There are two important differences between DataSource + and DataSourceRef: * While DataSource only allows + two specific types of objects, DataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While DataSource ignores disallowed values + (dropping them), DataSourceRef preserves all values, + and generates an error if a disallowed value is specified. + (Alpha) Using this field requires the AnyVolumeDataSource + feature gate to be enabled.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + resources: + description: 'Resources represents the minimum resources + the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to specify resource + requirements that are lower than previous value but + must still be higher than capacity recorded in the + status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: A label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + storageClassName: + description: 'Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: VolumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + source: + description: Source is the src of the data for the requested + DataVolume + properties: + blank: + description: DataVolumeBlankImage provides the parameters + to create a new raw blank image for the PVC + type: object + http: + description: DataVolumeSourceHTTP can be either an http + or https endpoint, with an optional basic auth user + name and password, and an optional configmap containing + additional CAs + properties: + certConfigMap: + description: CertConfigMap is a configmap reference, + containing a Certificate Authority(CA) public + key, and a base64 encoded pem certificate + type: string + extraHeaders: + description: ExtraHeaders is a list of strings containing + extra headers to include with HTTP transfer requests + items: + type: string + type: array + secretExtraHeaders: + description: SecretExtraHeaders is a list of Secret + references, each containing an extra HTTP header + that may include sensitive information + items: + type: string + type: array + secretRef: + description: SecretRef A Secret reference, the secret + should contain accessKeyId (user name) base64 + encoded, and secretKey (password) also base64 + encoded + type: string + url: + description: URL is the URL of the http(s) endpoint + type: string + required: + - url + type: object + imageio: + description: DataVolumeSourceImageIO provides the parameters + to create a Data Volume from an imageio source + properties: + certConfigMap: + description: CertConfigMap provides a reference + to the CA cert + type: string + diskId: + description: DiskID provides id of a disk to be + imported + type: string + secretRef: + description: SecretRef provides the secret reference + needed to access the ovirt-engine + type: string + url: + description: URL is the URL of the ovirt-engine + type: string + required: + - diskId + - url + type: object + pvc: + description: DataVolumeSourcePVC provides the parameters + to create a Data Volume from an existing PVC + properties: + name: + description: The name of the source PVC + type: string + namespace: + description: The namespace of the source PVC + type: string + required: + - name + - namespace + type: object + registry: + description: DataVolumeSourceRegistry provides the parameters + to create a Data Volume from an registry source + properties: + certConfigMap: + description: CertConfigMap provides a reference + to the Registry certs + type: string + imageStream: + description: ImageStream is the name of image stream + for import + type: string + pullMethod: + description: PullMethod can be either "pod" (default + import), or "node" (node docker cache based import) + type: string + secretRef: + description: SecretRef provides the secret reference + needed to access the Registry source + type: string + url: + description: 'URL is the url of the registry source + (starting with the scheme: docker, oci-archive)' + type: string + type: object + s3: + description: DataVolumeSourceS3 provides the parameters + to create a Data Volume from an S3 source + properties: + certConfigMap: + description: CertConfigMap is a configmap reference, + containing a Certificate Authority(CA) public + key, and a base64 encoded pem certificate + type: string + secretRef: + description: SecretRef provides the secret reference + needed to access the S3 source + type: string + url: + description: URL is the url of the S3 source + type: string + required: + - url + type: object + upload: + description: DataVolumeSourceUpload provides the parameters + to create a Data Volume by uploading the source + type: object + vddk: + description: DataVolumeSourceVDDK provides the parameters + to create a Data Volume from a Vmware source + properties: + backingFile: + description: BackingFile is the path to the virtual + hard disk to migrate from vCenter/ESXi + type: string + initImageURL: + description: InitImageURL is an optional URL to + an image containing an extracted VDDK library, + overrides v2v-vmware config map + type: string + secretRef: + description: SecretRef provides a reference to a + secret containing the username and password needed + to access the vCenter or ESXi host + type: string + thumbprint: + description: Thumbprint is the certificate thumbprint + of the vCenter or ESXi host + type: string + url: + description: URL is the URL of the vCenter or ESXi + host with the VM to migrate + type: string + uuid: + description: UUID is the UUID of the virtual machine + that the backing file is attached to in vCenter/ESXi + type: string + type: object + type: object + sourceRef: + description: SourceRef is an indirect reference to the source + of data for the requested DataVolume + properties: + kind: + description: The kind of the source reference, currently + only "DataSource" is supported + type: string + name: + description: The name of the source reference + type: string + namespace: + description: The namespace of the source reference, + defaults to the DataVolume namespace + type: string + required: + - kind + - name + type: object + storage: + description: Storage is the requested storage specification + properties: + accessModes: + description: 'AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'This field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) * An existing + custom resource that implements data population (Alpha) + In order to use custom resource types that implement + data population, the AnyVolumeDataSource feature gate + must be enabled. If the provisioner or an external + controller can support the specified data source, + it will create a new volume based on the contents + of the specified data source.' + properties: + apiGroup: + description: APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being + referenced + type: string + name: + description: Name is the name of resource being + referenced + type: string + required: + - kind + - name + type: object + resources: + description: 'Resources represents the minimum resources + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: A label query over volumes to consider + for binding. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + storageClassName: + description: 'Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what type of volume + is required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: VolumeName is the binding reference to + the PersistentVolume backing this claim. + type: string + type: object + type: object + status: + description: DataVolumeTemplateDummyStatus is here simply for + backwards compatibility with a previous API. + nullable: true + type: object + required: + - spec + type: object + type: array + instancetype: + description: InstancetypeMatcher references a instancetype that is + used to fill fields in Template + properties: + inferFromVolume: + description: InferFromVolume lists the name of a volume that should + be used to infer or discover the instancetype to be used through + known annotations on the underlying resource. Once applied to + the InstancetypeMatcher this field is removed. + type: string + kind: + description: 'Kind specifies which instancetype resource is referenced. + Allowed values are: "VirtualMachineInstancetype" and "VirtualMachineClusterInstancetype". + If not specified, "VirtualMachineClusterInstancetype" is used + by default.' + type: string + name: + description: Name is the name of the VirtualMachineInstancetype + or VirtualMachineClusterInstancetype + type: string + revisionName: + description: RevisionName specifies a ControllerRevision containing + a specific copy of the VirtualMachineInstancetype or VirtualMachineClusterInstancetype + to be used. This is initially captured the first time the instancetype + is applied to the VirtualMachineInstance. + type: string + type: object + preference: + description: PreferenceMatcher references a set of preference that + is used to fill fields in Template + properties: + inferFromVolume: + description: InferFromVolume lists the name of a volume that should + be used to infer or discover the preference to be used through + known annotations on the underlying resource. Once applied to + the PreferenceMatcher this field is removed. + type: string + kind: + description: 'Kind specifies which preference resource is referenced. + Allowed values are: "VirtualMachinePreference" and "VirtualMachineClusterPreference". + If not specified, "VirtualMachineClusterPreference" is used + by default.' + type: string + name: + description: Name is the name of the VirtualMachinePreference + or VirtualMachineClusterPreference + type: string + revisionName: + description: RevisionName specifies a ControllerRevision containing + a specific copy of the VirtualMachinePreference or VirtualMachineClusterPreference + to be used. This is initially captured the first time the instancetype + is applied to the VirtualMachineInstance. + type: string + type: object + runStrategy: + description: Running state indicates the requested running state of + the VirtualMachineInstance mutually exclusive with Running + type: string + running: + description: Running controls whether the associatied VirtualMachineInstance + is created or not Mutually exclusive with RunStrategy + type: boolean + template: + description: Template is the direct specification of VirtualMachineInstance + properties: + metadata: + nullable: true + type: object + x-kubernetes-preserve-unknown-fields: true + spec: + description: VirtualMachineInstance Spec contains the VirtualMachineInstance + specification. + properties: + accessCredentials: + description: Specifies a set of public keys to inject into + the vm guest + items: + description: AccessCredential represents a credential source + that can be used to authorize remote access to the vm + guest Only one of its members may be specified. + properties: + sshPublicKey: + description: SSHPublicKey represents the source and + method of applying a ssh public key into a guest virtual + machine. + properties: + propagationMethod: + description: PropagationMethod represents how the + public key is injected into the vm guest. + properties: + configDrive: + description: ConfigDrivePropagation means that + the ssh public keys are injected into the + VM using metadata using the configDrive cloud-init + provider + type: object + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means ssh public keys are dynamically injected + into the vm at runtime via the qemu guest + agent. This feature requires the qemu guest + agent to be running within the guest. + properties: + users: + description: Users represents a list of + guest users that should have the ssh public + keys added to their authorized_keys file. + items: + type: string + type: array + x-kubernetes-list-type: set + required: + - users + type: object + type: object + source: + description: Source represents where the public + keys are pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name + of the secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + userPassword: + description: UserPassword represents the source and + method for applying a guest user's password + properties: + propagationMethod: + description: propagationMethod represents how the + user passwords are injected into the vm guest. + properties: + qemuGuestAgent: + description: QemuGuestAgentAccessCredentailPropagation + means passwords are dynamically injected into + the vm at runtime via the qemu guest agent. + This feature requires the qemu guest agent + to be running within the guest. + type: object + type: object + source: + description: Source represents where the user passwords + are pulled from + properties: + secret: + description: Secret means that the access credential + is pulled from a kubernetes secret + properties: + secretName: + description: SecretName represents the name + of the secret in the VMI's namespace + type: string + required: + - secretName + type: object + type: object + required: + - propagationMethod + - source + type: object + type: object + type: array + x-kubernetes-list-type: atomic + affinity: + description: If affinity is specifies, obey all the affinity + rules + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + This field is beta-level and is only honored + when PodAffinityNamespaceSelector feature + is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. This + field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + This field is beta-level and is only honored + when PodAffinityNamespaceSelector feature + is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. This + field is beta-level and is only honored when + PodAffinityNamespaceSelector feature is enabled. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + dnsConfig: + description: Specifies the DNS parameters of a pod. Parameters + specified here will be merged to the generated DNS configuration + based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. This + will be appended to the base nameservers generated from + DNSPolicy. Duplicated nameservers will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This will + be merged with the base options generated from DNSPolicy. + Duplicated entries will be removed. Resolution options + given in Options will override those that appear in + the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search paths + generated from DNSPolicy. Duplicated search paths will + be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to "ClusterFirst". + Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', + 'Default' or 'None'. DNS parameters given in DNSConfig will + be merged with the policy selected with DNSPolicy. To have + DNS options set along with hostNetwork, you have to specify + DNS policy explicitly to 'ClusterFirstWithHostNet'. + type: string + domain: + description: Specification of the desired behavior of the + VirtualMachineInstance on the host. + properties: + chassis: + description: Chassis specifies the chassis info passed + to the domain. + properties: + asset: + type: string + manufacturer: + type: string + serial: + type: string + sku: + type: string + version: + type: string + type: object + clock: + description: Clock sets the clock and timers of the vmi. + properties: + timer: + description: Timer specifies whih timers are attached + to the vmi. + properties: + hpet: + description: HPET (High Precision Event Timer) + - multiple timers with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens + when QEMU misses a deadline for injecting + a tick to the guest. One of "delay", "catchup", + "merge", "discard". + type: string + type: object + hyperv: + description: Hyperv (Hypervclock) - lets guests + read the host’s wall clock time (paravirtualized). + For windows guests. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + type: object + kvm: + description: "KVM \t(KVM clock) - lets guests + read the host’s wall clock time (paravirtualized). + For linux guests." + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + type: object + pit: + description: PIT (Programmable Interval Timer) + - a timer with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens + when QEMU misses a deadline for injecting + a tick to the guest. One of "delay", "catchup", + "discard". + type: string + type: object + rtc: + description: RTC (Real Time Clock) - a continuously + running timer with periodic interrupts. + properties: + present: + description: Enabled set to false makes sure + that the machine type or a preset can't + add the timer. Defaults to true. + type: boolean + tickPolicy: + description: TickPolicy determines what happens + when QEMU misses a deadline for injecting + a tick to the guest. One of "delay", "catchup". + type: string + track: + description: Track the guest or the wall clock. + type: string + type: object + type: object + timezone: + description: Timezone sets the guest clock to the + specified timezone. Zone name follows the TZ environment + variable format (e.g. 'America/New_York'). + type: string + utc: + description: UTC sets the guest clock to UTC on each + boot. If an offset is specified, guest changes to + the clock will be kept during reboots and are not + reset. + properties: + offsetSeconds: + description: OffsetSeconds specifies an offset + in seconds, relative to UTC. If set, guest changes + to the clock will be kept during reboots and + not reset. + type: integer + type: object + type: object + cpu: + description: CPU allow specified the detailed CPU topology + inside the vmi. + properties: + cores: + description: Cores specifies the number of cores inside + the vmi. Must be a value greater or equal 1. + format: int32 + type: integer + dedicatedCpuPlacement: + description: DedicatedCPUPlacement requests the scheduler + to place the VirtualMachineInstance on a node with + enough dedicated pCPUs and pin the vCPUs to it. + type: boolean + features: + description: Features specifies the CPU features list + inside the VMI. + items: + description: CPUFeature allows specifying a CPU + feature. + properties: + name: + description: Name of the CPU feature + type: string + policy: + description: 'Policy is the CPU feature attribute + which can have the following attributes: force - + The virtual CPU will claim the feature is + supported regardless of it being supported + by host CPU. require - Guest creation will + fail unless the feature is supported by the + host CPU or the hypervisor is able to emulate + it. optional - The feature will be supported + by virtual CPU if and only if it is supported + by host CPU. disable - The feature will not + be supported by virtual CPU. forbid - Guest + creation will fail if the feature is supported + by host CPU. Defaults to require' + type: string + required: + - name + type: object + type: array + isolateEmulatorThread: + description: IsolateEmulatorThread requests one more + dedicated pCPU to be allocated for the VMI to place + the emulator thread on it. + type: boolean + model: + description: Model specifies the CPU model inside + the VMI. List of available models https://github.com/libvirt/libvirt/tree/master/src/cpu_map. + It is possible to specify special cases like "host-passthrough" + to get the same CPU as the node and "host-model" + to get CPU closest to the node one. Defaults to + host-model. + type: string + numa: + description: NUMA allows specifying settings for the + guest NUMA topology + properties: + guestMappingPassthrough: + description: GuestMappingPassthrough will create + an efficient guest topology based on host CPUs + exclusively assigned to a pod. The created topology + ensures that memory and CPUs on the virtual + numa nodes never cross boundaries of host numa + nodes. + type: object + type: object + realtime: + description: Realtime instructs the virt-launcher + to tune the VMI for lower latency, optional for + real time workloads + properties: + mask: + description: 'Mask defines the vcpu mask expression + that defines which vcpus are used for realtime. + Format matches libvirt''s expressions. Example: + "0-3,^1","0,2,3","2-3"' + type: string + type: object + sockets: + description: Sockets specifies the number of sockets + inside the vmi. Must be a value greater or equal + 1. + format: int32 + type: integer + threads: + description: Threads specifies the number of threads + inside the vmi. Must be a value greater or equal + 1. + format: int32 + type: integer + type: object + devices: + description: Devices allows adding disks, network interfaces, + and others + properties: + autoattachGraphicsDevice: + description: Whether to attach the default graphics + device or not. VNC will not be available if set + to false. Defaults to true. + type: boolean + autoattachInputDevice: + description: Whether to attach an Input Device. Defaults + to false. + type: boolean + autoattachMemBalloon: + description: Whether to attach the Memory balloon + device with default period. Period can be adjusted + in virt-config. Defaults to true. + type: boolean + autoattachPodInterface: + description: Whether to attach a pod network interface. + Defaults to true. + type: boolean + autoattachSerialConsole: + description: Whether to attach the default serial + console or not. Serial console access will not be + available if set to false. Defaults to true. + type: boolean + autoattachVSOCK: + description: Whether to attach the VSOCK CID to the + VM or not. VSOCK access will be available if set + to true. Defaults to false. + type: boolean + blockMultiQueue: + description: Whether or not to enable virtio multi-queue + for block devices. Defaults to false. + type: boolean + clientPassthrough: + description: To configure and access client devices + such as redirecting USB + type: object + disableHotplug: + description: DisableHotplug disabled the ability to + hotplug disks. + type: boolean + disks: + description: Disks describes disks, cdroms and luns + which are connected to the vmi. + items: + properties: + blockSize: + description: If specified, the virtual disk + will be presented with the given block sizes. + properties: + custom: + description: CustomBlockSize represents + the desired logical and physical block + size for a VM disk. + properties: + logical: + type: integer + physical: + type: integer + required: + - logical + - physical + type: object + matchVolume: + description: Represents if a feature is + enabled or disabled. + properties: + enabled: + description: Enabled determines if the + feature should be enabled or disabled + on the guest. Defaults to true. + type: boolean + type: object + type: object + bootOrder: + description: BootOrder is an integer value > + 0, used to determine ordering of boot devices. + Lower values take precedence. Each disk or + interface that has a boot order must have + a unique value. Disks without a boot order + are not tried if a disk with a boot order + exists. + type: integer + cache: + description: 'Cache specifies which kvm disk + cache mode should be used. Supported values + are: CacheNone, CacheWriteThrough.' + type: string + cdrom: + description: Attach a volume as a cdrom to the + vmi. + properties: + bus: + description: 'Bus indicates the type of + disk device to emulate. supported values: + virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to true. + type: boolean + tray: + description: Tray indicates if the tray + of the device is open or closed. Allowed + values are "open" and "closed". Defaults + to closed. + type: string + type: object + dedicatedIOThread: + description: dedicatedIOThread indicates this + disk should have an exclusive IO Thread. Enabling + this implies useIOThreads = true. Defaults + to false. + type: boolean + disk: + description: Attach a volume as a disk to the + vmi. + properties: + bus: + description: 'Bus indicates the type of + disk device to emulate. supported values: + virtio, sata, scsi, usb.' + type: string + pciAddress: + description: 'If specified, the virtual + disk will be placed on the guests pci + address with the specified PCI address. + For example: 0000:81:01.10' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + io: + description: 'IO specifies which QEMU disk IO + mode should be used. Supported values are: + native, default, threads.' + type: string + lun: + description: Attach a volume as a LUN to the + vmi. + properties: + bus: + description: 'Bus indicates the type of + disk device to emulate. supported values: + virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + name: + description: Name is the device name + type: string + serial: + description: Serial provides the ability to + specify a serial number for the disk device. + type: string + shareable: + description: If specified the disk is made sharable + and multiple write from different VMs are + permitted + type: boolean + tag: + description: If specified, disk address and + its tag will be provided to the guest via + config drive metadata + type: string + required: + - name + type: object + type: array + filesystems: + description: Filesystems describes filesystem which + is connected to the vmi. + items: + properties: + name: + description: Name is the device name + type: string + virtiofs: + description: Virtiofs is supported + type: object + required: + - name + - virtiofs + type: object + type: array + x-kubernetes-list-type: atomic + gpus: + description: Whether to attach a GPU device to the + vmi. + items: + properties: + deviceName: + type: string + name: + description: Name of the GPU device as exposed + by a device plugin + type: string + tag: + description: If specified, the virtual network + interface address and its tag will be provided + to the guest via config drive + type: string + virtualGPUOptions: + properties: + display: + properties: + enabled: + description: Enabled determines if a + display addapter backed by a vGPU + should be enabled or disabled on the + guest. Defaults to true. + type: boolean + ramFB: + description: Enables a boot framebuffer, + until the guest OS loads a real GPU + driver Defaults to true. + properties: + enabled: + description: Enabled determines + if the feature should be enabled + or disabled on the guest. Defaults + to true. + type: boolean + type: object + type: object + type: object + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + hostDevices: + description: Whether to attach a host device to the + vmi. + items: + properties: + deviceName: + description: DeviceName is the resource name + of the host device exposed by a device plugin + type: string + name: + type: string + tag: + description: If specified, the virtual network + interface address and its tag will be provided + to the guest via config drive + type: string + required: + - deviceName + - name + type: object + type: array + x-kubernetes-list-type: atomic + inputs: + description: Inputs describe input devices + items: + properties: + bus: + description: 'Bus indicates the bus of input + device to emulate. Supported values: virtio, + usb.' + type: string + name: + description: Name is the device name + type: string + type: + description: 'Type indicated the type of input + device. Supported values: tablet.' + type: string + required: + - name + - type + type: object + type: array + interfaces: + description: Interfaces describe network interfaces + which are added to the vmi. + items: + properties: + acpiIndex: + description: If specified, the ACPI index is + used to provide network interface device naming, + that is stable across changes in PCI addresses + assigned to the device. This value is required + to be unique across all devices and be between + 1 and (16*1024-1). + type: integer + bootOrder: + description: BootOrder is an integer value > + 0, used to determine ordering of boot devices. + Lower values take precedence. Each interface + or disk that has a boot order must have a + unique value. Interfaces without a boot order + are not tried. + type: integer + bridge: + description: InterfaceBridge connects to a given + network via a linux bridge. + type: object + dhcpOptions: + description: If specified the network interface + will pass additional DHCP options to the VMI + properties: + bootFileName: + description: If specified will pass option + 67 to interface's DHCP server + type: string + ntpServers: + description: If specified will pass the + configured NTP server to the VM via DHCP + option 042. + items: + type: string + type: array + privateOptions: + description: 'If specified will pass extra + DHCP options for private use, range: 224-254' + items: + description: DHCPExtraOptions defines + Extra DHCP options for a VM. + properties: + option: + description: Option is an Integer + value from 224-254 Required. + type: integer + value: + description: Value is a String value + for the Option provided Required. + type: string + required: + - option + - value + type: object + type: array + tftpServerName: + description: If specified will pass option + 66 to interface's DHCP server + type: string + type: object + macAddress: + description: 'Interface MAC address. For example: + de:ad:00:00:be:af or DE-AD-00-00-BE-AF.' + type: string + macvtap: + description: InterfaceMacvtap connects to a + given network by extending the Kubernetes + node's L2 networks via a macvtap interface. + type: object + masquerade: + description: InterfaceMasquerade connects to + a given network using netfilter rules to nat + the traffic. + type: object + model: + description: 'Interface model. One of: e1000, + e1000e, ne2k_pci, pcnet, rtl8139, virtio. + Defaults to virtio. TODO:(ihar) switch to + enums once opengen-api supports them. See: + https://github.com/kubernetes/kube-openapi/issues/51' + type: string + name: + description: Logical name of the interface as + well as a reference to the associated networks. + Must match the Name of a Network. + type: string + passt: + description: InterfacePasst connects to a given + network. + type: object + pciAddress: + description: 'If specified, the virtual network + interface will be placed on the guests pci + address with the specified PCI address. For + example: 0000:81:01.10' + type: string + ports: + description: List of ports to be forwarded to + the virtual machine. + items: + description: Port represents a port to expose + from the virtual machine. Default protocol + TCP. The port field is mandatory + properties: + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + port: + description: Number of port to expose + for the virtual machine. This must be + a valid port number, 0 < x < 65536. + format: int32 + type: integer + protocol: + description: Protocol for port. Must be + UDP or TCP. Defaults to "TCP". + type: string + required: + - port + type: object + type: array + slirp: + description: InterfaceSlirp connects to a given + network using QEMU user networking mode. + type: object + sriov: + description: InterfaceSRIOV connects to a given + network by passing-through an SR-IOV PCI device + via vfio. + type: object + tag: + description: If specified, the virtual network + interface address and its tag will be provided + to the guest via config drive + type: string + required: + - name + type: object + type: array + networkInterfaceMultiqueue: + description: If specified, virtual network interfaces + configured with a virtio bus will also enable the + vhost multiqueue feature for network devices. The + number of queues created depends on additional factors + of the VirtualMachineInstance, like the number of + guest CPUs. + type: boolean + rng: + description: Whether to have random number generator + from host + type: object + sound: + description: Whether to emulate a sound device. + properties: + model: + description: 'We only support ich9 or ac97. If + SoundDevice is not set: No sound card is emulated. + If SoundDevice is set but Model is not: ich9' + type: string + name: + description: User's defined name for this sound + device + type: string + required: + - name + type: object + tpm: + description: Whether to emulate a TPM device. + type: object + useVirtioTransitional: + description: Fall back to legacy virtio 0.9 support + if virtio bus is selected on devices. This is helpful + for old machines like CentOS6 or RHEL6 which do + not understand virtio_non_transitional (virtio 1.0). + type: boolean + watchdog: + description: Watchdog describes a watchdog device + which can be added to the vmi. + properties: + i6300esb: + description: i6300esb watchdog device. + properties: + action: + description: The action to take. Valid values + are poweroff, reset, shutdown. Defaults + to reset. + type: string + type: object + name: + description: Name of the watchdog. + type: string + required: + - name + type: object + type: object + features: + description: Features like acpi, apic, hyperv, smm. + properties: + acpi: + description: ACPI enables/disables ACPI inside the + guest. Defaults to enabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + apic: + description: Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + endOfInterrupt: + description: EndOfInterrupt enables the end of + interrupt notification in the guest. Defaults + to false. + type: boolean + type: object + hyperv: + description: Defaults to the machine type setting. + properties: + evmcs: + description: EVMCS Speeds up L2 vmexits, but disables + other virtualization features. Requires vapic. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + frequencies: + description: Frequencies improves the TSC clock + source handling for Hyper-V on KVM. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + ipi: + description: IPI improves performances in overcommited + environments. Requires vpindex. Defaults to + the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + reenlightenment: + description: Reenlightenment enables the notifications + on TSC frequency changes. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + relaxed: + description: Relaxed instructs the guest OS to + disable watchdog timeouts. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + reset: + description: Reset enables Hyperv reboot/reset + for the vmi. Requires synic. Defaults to the + machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + runtime: + description: Runtime improves the time accounting + to improve scheduling in the guest. Defaults + to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + spinlocks: + description: Spinlocks allows to configure the + spinlock retry attempts. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + spinlocks: + description: Retries indicates the number + of retries. Must be a value greater or equal + 4096. Defaults to 4096. + format: int32 + type: integer + type: object + synic: + description: SyNIC enables the Synthetic Interrupt + Controller. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + synictimer: + description: SyNICTimer enables Synthetic Interrupt + Controller Timers, reducing CPU load. Defaults + to the machine type setting. + properties: + direct: + description: Represents if a feature is enabled + or disabled. + properties: + enabled: + description: Enabled determines if the + feature should be enabled or disabled + on the guest. Defaults to true. + type: boolean + type: object + enabled: + type: boolean + type: object + tlbflush: + description: TLBFlush improves performances in + overcommited environments. Requires vpindex. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + vapic: + description: VAPIC improves the paravirtualized + handling of interrupts. Defaults to the machine + type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + vendorid: + description: VendorID allows setting the hypervisor + vendor id. Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + vendorid: + description: VendorID sets the hypervisor + vendor id, visible to the vmi. String up + to twelve characters. + type: string + type: object + vpindex: + description: VPIndex enables the Virtual Processor + Index to help windows identifying virtual processors. + Defaults to the machine type setting. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + kvm: + description: Configure how KVM presence is exposed + to the guest. + properties: + hidden: + description: Hide the KVM hypervisor from standard + MSR based discovery. Defaults to false + type: boolean + type: object + pvspinlock: + description: Notify the guest that the host supports + paravirtual spinlocks. For older kernels this feature + should be explicitly disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + smm: + description: SMM enables/disables System Management + Mode. TSEG not yet implemented. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + firmware: + description: Firmware. + properties: + bootloader: + description: Settings to control the bootloader that + is used. + properties: + bios: + description: If set (default), BIOS will be used. + properties: + useSerial: + description: If set, the BIOS output will + be transmitted over serial + type: boolean + type: object + efi: + description: If set, EFI will be used instead + of BIOS. + properties: + secureBoot: + description: If set, SecureBoot will be enabled + and the OVMF roms will be swapped for SecureBoot-enabled + ones. Requires SMM to be enabled. Defaults + to true + type: boolean + type: object + type: object + kernelBoot: + description: Settings to set the kernel for booting. + properties: + container: + description: Container defines the container that + containes kernel artifacts + properties: + image: + description: Image that contains initrd / + kernel files. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always + if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: + https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of + the Docker registry secret required to pull + the image. The secret must already exist. + type: string + initrdPath: + description: the fully-qualified path to the + ramdisk image in the host OS + type: string + kernelPath: + description: The fully-qualified path to the + kernel image in the host OS + type: string + required: + - image + type: object + kernelArgs: + description: Arguments to be passed to the kernel + at boot time + type: string + type: object + serial: + description: The system-serial-number in SMBIOS + type: string + uuid: + description: UUID reported by the vmi bios. Defaults + to a random generated uid. + type: string + type: object + ioThreadsPolicy: + description: 'Controls whether or not disks will share + IOThreads. Omitting IOThreadsPolicy disables use of + IOThreads. One of: shared, auto' + type: string + launchSecurity: + description: Launch Security setting of the vmi. + properties: + sev: + description: AMD Secure Encrypted Virtualization (SEV). + type: object + type: object + machine: + description: Machine type. + properties: + type: + description: QEMU machine type is the actual chipset + of the VirtualMachineInstance. + type: string + type: object + memory: + description: Memory allow specifying the VMI memory features. + properties: + guest: + anyOf: + - type: integer + - type: string + description: Guest allows to specifying the amount + of memory which is visible inside the Guest OS. + The Guest must lie between Requests and Limits from + the resources section. Defaults to the requested + memory in the resources section if not specified. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + hugepages: + description: Hugepages allow to use hugepages for + the VirtualMachineInstance instead of regular memory. + properties: + pageSize: + description: PageSize specifies the hugepage size, + for x86_64 architecture valid values are 1Gi + and 2Mi. + type: string + type: object + type: object + resources: + description: Resources describes the Compute Resources + required by this vmi. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Limits describes the maximum amount of + compute resources allowed. Valid resource keys are + "memory" and "cpu". + type: object + overcommitGuestOverhead: + description: Don't ask the scheduler to take the guest-management + overhead into account. Instead put the overhead + only into the container's memory limit. This can + lead to crashes if all memory is in use on a node. + Defaults to false. + type: boolean + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Requests is a description of the initial + vmi resources. Valid resource keys are "memory" + and "cpu". + type: object + type: object + required: + - devices + type: object + evictionStrategy: + description: EvictionStrategy can be set to "LiveMigrate" + if the VirtualMachineInstance should be migrated instead + of shut-off in case of a node drain. + type: string + hostname: + description: Specifies the hostname of the vmi If not specified, + the hostname will be set to the name of the vmi, if dhcp + or cloud-init is configured properly. + type: string + livenessProbe: + description: 'Periodic probe of VirtualMachineInstance liveness. + VirtualmachineInstances will be stopped if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should + be specified. Exec specifies the action to take, it + will be executed on the guest through the qemu-guest-agent. + If the guest agent is not available, this probe will + fail. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent + for availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving + a TCP port. TCP hooks not yet supported TODO: implement + a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. For exec probes the timeout fails the probe + but does not terminate the command running on the guest. + This means a blocking command can result in an increasing + load on the guest. A small buffer will be added to the + resulting workload exec probe to compensate for delays + caused by the qemu guest exec mechanism. Defaults to + 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + networks: + description: List of networks that can be attached to a vm's + virtual interface. + items: + description: Network represents a network type and a resource + that should be connected to the vm. + properties: + multus: + description: Represents the multus cni network. + properties: + default: + description: Select the default network and add + it to the multus-cni.io/default-network annotation. + type: boolean + networkName: + description: 'References to a NetworkAttachmentDefinition + CRD object. Format: , /. + If namespace is not specified, VMI namespace is + assumed.' + type: string + required: + - networkName + type: object + name: + description: 'Network name. Must be a DNS_LABEL and + unique within the vm. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + pod: + description: Represents the stock pod network interface. + properties: + vmIPv6NetworkCIDR: + description: IPv6 CIDR for the vm network. Defaults + to fd10:0:2::/120 if not specified. + type: string + vmNetworkCIDR: + description: CIDR for vm network. Default 10.0.2.0/24 + if not specified. + type: string + type: object + required: + - name + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true + for the vmi to fit on a node. Selector which must match + a node''s labels for the vmi to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, indicates the pod's priority. If + not specified, the pod priority will be default or zero + if there is no default. + type: string + readinessProbe: + description: 'Periodic probe of VirtualMachineInstance service + readiness. VirtualmachineInstances will be removed from + service endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: One and only one of the following should + be specified. Exec specifies the action to take, it + will be executed on the guest through the qemu-guest-agent. + If the guest agent is not available, this probe will + fail. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', + etc) won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + guestAgentPing: + description: GuestAgentPing contacts the qemu-guest-agent + for availability checks. + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the VirtualMachineInstance + has started before liveness probes are initiated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: 'TCPSocket specifies an action involving + a TCP port. TCP hooks not yet supported TODO: implement + a realistic TCP lifecycle hook' + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range 1 + to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + timeoutSeconds: + description: 'Number of seconds after which the probe + times out. For exec probes the timeout fails the probe + but does not terminate the command running on the guest. + This means a blocking command can result in an increasing + load on the guest. A small buffer will be added to the + resulting workload exec probe to compensate for delays + caused by the qemu guest exec mechanism. Defaults to + 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + schedulerName: + description: If specified, the VMI will be dispatched by specified + scheduler. If not specified, the VMI will be dispatched + by default scheduler. + type: string + startStrategy: + description: StartStrategy can be set to "Paused" if Virtual + Machine should be started in paused state. + type: string + subdomain: + description: If specified, the fully qualified vmi hostname + will be "...svc.". If not specified, the vmi will not have a domainname + at all. The DNS entry will resolve to the vmi, no matter + if the vmi itself can pick up a hostname. + type: string + terminationGracePeriodSeconds: + description: Grace period observed after signalling a VirtualMachineInstance + to stop after which the VirtualMachineInstance is force + terminated. + format: int64 + type: integer + tolerations: + description: If toleration is specified, obey all the toleration + rules. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how a group + of VMIs will be spread across a given topology domains. + K8s scheduler will schedule VMI pods in a way which abides + by the constraints. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + maxSkew: + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When ''whenUnsatisfiable=DoNotSchedule'', + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | + - if MaxSkew is 1, incoming pod can only be scheduled + to zone3 to become 1/1/1; scheduling it onto zone1(zone2) + would make the ActualSkew(2-0) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be + scheduled onto any zone. When ''whenUnsatisfiable=ScheduleAnyway'', + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default value + is 1 and 0 is not allowed.' + format: int32 + type: integer + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and try + to put balanced number of pods into each bucket. It's + a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving + higher precedence to topologies that would help reduce + the skew. A constraint is considered "Unsatisfiable" + for an incoming pod if and only if every possible + node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, + MaxSkew is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P + | P | P | If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make + it *more* imbalanced. It''s a required field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: List of volumes that can be mounted by disks + belonging to the vmi. + items: + description: Volume represents a named volume in a vmi. + properties: + cloudInitConfigDrive: + description: 'CloudInitConfigDrive represents a cloud-init + Config Drive user-data source. The Config Drive data + will be added as a disk to the vmi. A proper cloud-init + installation is required inside the guest. More info: + https://cloudinit.readthedocs.io/en/latest/topics/datasources/configdrive.html' + properties: + networkData: + description: NetworkData contains config drive inline + cloud-init networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains config drive + cloud-init networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s + secret that contains config drive networkdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s + secret that contains config drive userdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + userData: + description: UserData contains config drive inline + cloud-init userdata. + type: string + userDataBase64: + description: UserDataBase64 contains config drive + cloud-init userdata as a base64 encoded string. + type: string + type: object + cloudInitNoCloud: + description: 'CloudInitNoCloud represents a cloud-init + NoCloud user-data source. The NoCloud data will be + added as a disk to the vmi. A proper cloud-init installation + is required inside the guest. More info: http://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html' + properties: + networkData: + description: NetworkData contains NoCloud inline + cloud-init networkdata. + type: string + networkDataBase64: + description: NetworkDataBase64 contains NoCloud + cloud-init networkdata as a base64 encoded string. + type: string + networkDataSecretRef: + description: NetworkDataSecretRef references a k8s + secret that contains NoCloud networkdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + secretRef: + description: UserDataSecretRef references a k8s + secret that contains NoCloud userdata. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + userData: + description: UserData contains NoCloud inline cloud-init + userdata. + type: string + userDataBase64: + description: UserDataBase64 contains NoCloud cloud-init + userdata as a base64 encoded string. + type: string + type: object + configMap: + description: 'ConfigMapSource represents a reference + to a ConfigMap in the same namespace. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/' + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or it's + keys must be defined + type: boolean + volumeLabel: + description: The volume label of the resulting disk + inside the VMI. Different bootstrapping mechanisms + require different values. Typical values are "cidata" + (cloud-init), "config-2" (cloud-init) or "OEMDRV" + (kickstart). + type: string + type: object + containerDisk: + description: 'ContainerDisk references a docker image, + embedding a qcow or raw disk. More info: https://kubevirt.gitbooks.io/user-guide/registry-disk.html' + properties: + image: + description: Image is the name of the image with + the embedded disk. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecret: + description: ImagePullSecret is the name of the + Docker registry secret required to pull the image. + The secret must already exist. + type: string + path: + description: Path defines the path to disk file + in the container + type: string + required: + - image + type: object + dataVolume: + description: DataVolume represents the dynamic creation + a PVC for this volume as well as the process of populating + that PVC with a disk image. + properties: + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + name: + description: Name of both the DataVolume and the + PVC in the same namespace. After PVC population + the DataVolume is garbage collected by default. + type: string + required: + - name + type: object + downwardAPI: + description: DownwardAPI represents downward API about + the pod that should populate this volume + properties: + fields: + description: Fields is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + mode: + description: 'Optional: mode bits used to + set permissions on this file, must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both + octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits set.' + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + volumeLabel: + description: The volume label of the resulting disk + inside the VMI. Different bootstrapping mechanisms + require different values. Typical values are "cidata" + (cloud-init), "config-2" (cloud-init) or "OEMDRV" + (kickstart). + type: string + type: object + downwardMetrics: + description: DownwardMetrics adds a very small disk + to VMIs which contains a limited view of host and + guest metrics. The disk content is compatible with + vhostmd (https://github.com/vhostmd/vhostmd) and vm-dump-metrics. + type: object + emptyDisk: + description: 'EmptyDisk represents a temporary disk + which shares the vmis lifecycle. More info: https://kubevirt.gitbooks.io/user-guide/disks-and-volumes.html' + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - capacity + type: object + ephemeral: + description: Ephemeral is a special volume source that + "wraps" specified source and provides copy-on-write + image on top of it. + properties: + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. Directly attached to the + vmi via qemu. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: Will force the ReadOnly setting + in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + type: object + hostDisk: + description: HostDisk represents a disk created on the + cluster level + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the sparse disk + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + path: + description: The path to HostDisk image located + on the cluster + type: string + shared: + description: Shared indicate whether the path is + shared between nodes + type: boolean + type: + description: Contains information if disk.img exists + or should be created allowed options are 'Disk' + and 'DiskOrCreate' + type: string + required: + - path + - type + type: object + memoryDump: + description: MemoryDump is attached to the virt launcher + and is populated with a memory dump of the vmi + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + name: + description: 'Volume''s name. Must be a DNS_LABEL and + unique within the vmi. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. Directly attached to the vmi via qemu. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + secret: + description: 'SecretVolumeSource represents a reference + to a secret data in the same namespace. More info: + https://kubernetes.io/docs/concepts/configuration/secret/' + properties: + optional: + description: Specify whether the Secret or it's + keys must be defined + type: boolean + secretName: + description: 'Name of the secret in the pod''s namespace + to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + volumeLabel: + description: The volume label of the resulting disk + inside the VMI. Different bootstrapping mechanisms + require different values. Typical values are "cidata" + (cloud-init), "config-2" (cloud-init) or "OEMDRV" + (kickstart). + type: string + type: object + serviceAccount: + description: 'ServiceAccountVolumeSource represents + a reference to a service account. There can only be + one volume of this type! More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + properties: + serviceAccountName: + description: 'Name of the service account in the + pod''s namespace to use. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + type: object + sysprep: + description: Represents a Sysprep volume source. + properties: + configMap: + description: ConfigMap references a ConfigMap that + contains Sysprep answer file named autounattend.xml + that should be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + secret: + description: Secret references a k8s Secret that + contains Sysprep answer file named autounattend.xml + that should be attached as disk of CDROM type. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + type: object + required: + - name + type: object + type: array + required: + - domain + type: object + type: object + required: + - template + type: object + status: + description: Status holds the current state of the controller and brief + information about its associated VirtualMachineInstance + properties: + conditions: + description: Hold the state information of the VirtualMachine and + its VirtualMachineInstance + items: + description: VirtualMachineCondition represents the state of VirtualMachine + properties: + lastProbeTime: + format: date-time + nullable: true + type: string + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + created: + description: Created indicates if the virtual machine is created in + the cluster + type: boolean + memoryDumpRequest: + description: MemoryDumpRequest tracks memory dump request phase and + info of getting a memory dump to the given pvc + nullable: true + properties: + claimName: + description: ClaimName is the name of the pvc that will contain + the memory dump + type: string + endTimestamp: + description: EndTimestamp represents the time the memory dump + was completed + format: date-time + type: string + fileName: + description: FileName represents the name of the output file + type: string + message: + description: Message is a detailed message about failure of the + memory dump + type: string + phase: + description: Phase represents the memory dump phase + type: string + remove: + description: Remove represents request of dissociating the memory + dump pvc + type: boolean + startTimestamp: + description: StartTimestamp represents the time the memory dump + started + format: date-time + type: string + required: + - claimName + - phase + type: object + printableStatus: + description: PrintableStatus is a human readable, high-level representation + of the status of the virtual machine + type: string + ready: + description: Ready indicates if the virtual machine is running and + ready + type: boolean + restoreInProgress: + description: RestoreInProgress is the name of the VirtualMachineRestore + currently executing + type: string + snapshotInProgress: + description: SnapshotInProgress is the name of the VirtualMachineSnapshot + currently executing + type: string + startFailure: + description: StartFailure tracks consecutive VMI startup failures + for the purposes of crash loop backoffs + nullable: true + properties: + consecutiveFailCount: + type: integer + lastFailedVMIUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias to + string. Being a type captures intent and helps make sure that + UIDs and names do not get conflated. + type: string + retryAfterTimestamp: + format: date-time + type: string + type: object + stateChangeRequests: + description: StateChangeRequests indicates a list of actions that + should be taken on a VMI e.g. stop a specific VMI then start a new + one. + items: + properties: + action: + description: Indicates the type of action that is requested. + e.g. Start or Stop + type: string + data: + additionalProperties: + type: string + description: Provides additional data in order to perform the + Action + type: object + uid: + description: Indicates the UUID of an existing Virtual Machine + Instance that this change request applies to -- if applicable + type: string + required: + - action + type: object + type: array + volumeRequests: + description: VolumeRequests indicates a list of volumes add or remove + from the VMI template and hotplug on an active running VMI. + items: + properties: + addVolumeOptions: + description: AddVolumeOptions when set indicates a volume should + be added. The details within this field specify how to add + the volume + properties: + disk: + description: Disk represents the hotplug disk that will + be plugged into the running VMI + properties: + blockSize: + description: If specified, the virtual disk will be + presented with the given block sizes. + properties: + custom: + description: CustomBlockSize represents the desired + logical and physical block size for a VM disk. + properties: + logical: + type: integer + physical: + type: integer + required: + - logical + - physical + type: object + matchVolume: + description: Represents if a feature is enabled + or disabled. + properties: + enabled: + description: Enabled determines if the feature + should be enabled or disabled on the guest. + Defaults to true. + type: boolean + type: object + type: object + bootOrder: + description: BootOrder is an integer value > 0, used + to determine ordering of boot devices. Lower values + take precedence. Each disk or interface that has a + boot order must have a unique value. Disks without + a boot order are not tried if a disk with a boot order + exists. + type: integer + cache: + description: 'Cache specifies which kvm disk cache mode + should be used. Supported values are: CacheNone, CacheWriteThrough.' + type: string + cdrom: + description: Attach a volume as a cdrom to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to true. + type: boolean + tray: + description: Tray indicates if the tray of the device + is open or closed. Allowed values are "open" and + "closed". Defaults to closed. + type: string + type: object + dedicatedIOThread: + description: dedicatedIOThread indicates this disk should + have an exclusive IO Thread. Enabling this implies + useIOThreads = true. Defaults to false. + type: boolean + disk: + description: Attach a volume as a disk to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi, + usb.' + type: string + pciAddress: + description: 'If specified, the virtual disk will + be placed on the guests pci address with the specified + PCI address. For example: 0000:81:01.10' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + io: + description: 'IO specifies which QEMU disk IO mode should + be used. Supported values are: native, default, threads.' + type: string + lun: + description: Attach a volume as a LUN to the vmi. + properties: + bus: + description: 'Bus indicates the type of disk device + to emulate. supported values: virtio, sata, scsi.' + type: string + readonly: + description: ReadOnly. Defaults to false. + type: boolean + type: object + name: + description: Name is the device name + type: string + serial: + description: Serial provides the ability to specify + a serial number for the disk device. + type: string + shareable: + description: If specified the disk is made sharable + and multiple write from different VMs are permitted + type: boolean + tag: + description: If specified, disk address and its tag + will be provided to the guest via config drive metadata + type: string + required: + - name + type: object + dryRun: + description: 'When present, indicates that modifications + should not be persisted. An invalid or unrecognized dryRun + directive will result in an error response and no further + processing of the request. Valid values are: - All: all + dry run stages will be processed' + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: Name represents the name that will be used + to map the disk to the corresponding volume. This overrides + any name set inside the Disk struct itself. + type: string + volumeSource: + description: VolumeSource represents the source of the volume + to map to the disk. + properties: + dataVolume: + description: DataVolume represents the dynamic creation + a PVC for this volume as well as the process of populating + that PVC with a disk image. + properties: + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + name: + description: Name of both the DataVolume and the + PVC in the same namespace. After PVC population + the DataVolume is garbage collected by default. + type: string + required: + - name + type: object + persistentVolumeClaim: + description: 'PersistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. Directly attached to the vmi via qemu. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'ClaimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + hotpluggable: + description: Hotpluggable indicates whether the + volume can be hotplugged and hotunplugged. + type: boolean + readOnly: + description: Will force the ReadOnly setting in + VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + type: object + required: + - disk + - name + - volumeSource + type: object + removeVolumeOptions: + description: RemoveVolumeOptions when set indicates a volume + should be removed. The details within this field specify how + to add the volume + properties: + dryRun: + description: 'When present, indicates that modifications + should not be persisted. An invalid or unrecognized dryRun + directive will result in an error response and no further + processing of the request. Valid values are: - All: all + dry run stages will be processed' + items: + type: string + type: array + x-kubernetes-list-type: atomic + name: + description: Name represents the name that maps to both + the disk and volume that should be removed + type: string + required: + - name + type: object + type: object + type: array + x-kubernetes-list-type: atomic + volumeSnapshotStatuses: + description: VolumeSnapshotStatuses indicates a list of statuses whether + snapshotting is supported by each volume. + items: + properties: + enabled: + description: True if the volume supports snapshotting + type: boolean + name: + description: Volume name + type: string + reason: + description: Empty if snapshotting is enabled, contains reason + otherwise + type: string + required: + - enabled + - name + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/CRDs/linkerd.yaml b/CRDs/linkerd.yaml new file mode 100644 index 000000000..0dd029cc4 --- /dev/null +++ b/CRDs/linkerd.yaml @@ -0,0 +1,3548 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authorizationpolicies.policy.linkerd.io +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + shortNames: [authzpolicy] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied server + resources. + type: object + required: [targetRef, requiredAuthenticationRefs] + properties: + targetRef: + description: >- + TargetRef references a resource to which the authorization + policy applies. + type: object + required: [kind, name] + # Modified from the gateway API. + # Copyright 2020 The Kubernetes Authors + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + requiredAuthenticationRefs: + description: >- + RequiredAuthenticationRefs enumerates a set of required + authentications. ALL authentications must be satisfied for + the authorization to apply. If any of the referred objects + cannot be found, the authorization will be ignored. + type: array + items: + type: object + required: [kind, name] + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.policy.linkerd.io +spec: + group: policy.linkerd.io + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified + path is then used to construct the Location header. + When empty, the request path is used as-is. + \n Support: Extended" + type: string + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n\n " + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified + path is then used to construct the Location header. + When empty, the request path is used as-is. + \n Support: Extended" + type: string + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified + path is then used to construct the Location header. + When empty, the request path is used as-is. + \n Suppor: Extended" + type: string + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified + path is then used to construct the Location header. + When empty, the request path is used as-is. + \n Suppor: Extended" + type: string + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + timeouts: + description: "Timeouts defines the timeouts that can be configured + for an HTTP request. \n Support: Core \n " + properties: + backendRequest: + description: "BackendRequest specifies a timeout for an + individual request from the gateway to a backend service. + Typically used in conjunction with automatic retries, + if supported by an implementation. Default is the value + of Request timeout. \n Support: Extended" + format: duration + type: string + request: + description: "Request specifies a timeout for responding + to client HTTP requests, disabled by default. \n For example, + the following rule will timeout if a client request is + taking longer than 10 seconds to complete: \n ``` rules: + - timeouts: request: 10s backendRefs: ... ``` \n Support: + Core" + format: duration + type: string + type: object + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: servers.policy.linkerd.io +spec: + group: policy.linkerd.io + names: + kind: Server + plural: servers + singular: server + shortNames: [srv] + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta1 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + oneOf: + - required: [matchExpressions] + - required: [matchLabels] + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol \ No newline at end of file diff --git a/CRDs/machineset.yaml b/CRDs/machineset.yaml new file mode 100644 index 000000000..c3d13f91c --- /dev/null +++ b/CRDs/machineset.yaml @@ -0,0 +1,639 @@ +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1 +metadata: + name: machinesets.machine.openshift.io +spec: + group: machine.openshift.io + names: + plural: machinesets + singular: machineset + kind: MachineSet + listKind: MachineSetList + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + description: >- + MachineSet ensures that a specified number of machines replicas are + running at any given time. Compatibility level 2: Stable within a + major release for a minimum of 9 months or 3 minor releases + (whichever is longer). + type: object + properties: + apiVersion: + description: >- + APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the + latest internal value, and may reject unrecognized values. More + info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: >- + Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the + client submits requests to. Cannot be updated. In CamelCase. + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MachineSetSpec defines the desired state of MachineSet + type: object + properties: + deletePolicy: + description: >- + DeletePolicy defines the policy used to identify nodes to + delete when downscaling. Defaults to "Random". Valid values + are "Random, "Newest", "Oldest" + type: string + enum: + - Random + - Newest + - Oldest + minReadySeconds: + description: >- + MinReadySeconds is the minimum number of seconds for which a + newly created machine should be ready. Defaults to 0 + (machine will be considered available as soon as it is + ready) + type: integer + format: int32 + replicas: + description: >- + Replicas is the number of desired replicas. This is a + pointer to distinguish between explicit zero and + unspecified. Defaults to 1. + type: integer + format: int32 + default: 1 + selector: + description: >- + Selector is a label query over machines that should match + the replica count. Label keys and values that must match in + order to be controlled by this MachineSet. It must match the + machine template's labels. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors + type: object + properties: + matchExpressions: + description: >- + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + type: array + items: + description: >- + A label selector requirement is a selector that + contains values, a key, and an operator that relates + the key and values. + type: object + required: + - key + - operator + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: >- + operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: >- + values is an array of string values. If the + operator is In or NotIn, the values array must be + non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + type: array + items: + type: string + matchLabels: + description: >- + matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an + element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + additionalProperties: + type: string + x-kubernetes-map-type: atomic + template: + description: >- + Template is the object that describes the machine that will + be created if insufficient replicas are detected. + type: object + properties: + metadata: + description: >- + Standard object's metadata. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + type: object + properties: + annotations: + description: >- + Annotations is an unstructured key value map stored + with a resource that may be set by external tools to + store and retrieve arbitrary metadata. They are not + queryable and should be preserved when modifying + objects. More info: + http://kubernetes.io/docs/user-guide/annotations + type: object + additionalProperties: + type: string + generateName: + description: >- + GenerateName is an optional prefix, used by the + server, to generate a unique name ONLY IF the Name + field has not been provided. If this field is used, + the name returned to the client will be different + than the name passed. This value will also be + combined with a unique suffix. The provided value + has the same validation rules as the Name field, and + may be truncated by the length of the suffix + required to make the value unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency + type: string + labels: + description: >- + Map of string keys and values that can be used to + organize and categorize (scope and select) objects. + May match selectors of replication controllers and + services. More info: + http://kubernetes.io/docs/user-guide/labels + type: object + additionalProperties: + type: string + name: + description: >- + Name must be unique within a namespace. Is required + when creating resources, although some resources may + allow a client to request the generation of an + appropriate name automatically. Name is primarily + intended for creation idempotence and configuration + definition. Cannot be updated. More info: + http://kubernetes.io/docs/user-guide/identifiers#names + type: string + namespace: + description: >- + Namespace defines the space within each name must be + unique. An empty namespace is equivalent to the + "default" namespace, but "default" is the canonical + representation. Not all objects are required to be + scoped to a namespace - the value of this field for + those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces + type: string + ownerReferences: + description: >- + List of objects depended by this object. If ALL + objects in the list have been deleted, this object + will be garbage collected. If this object is managed + by a controller, then an entry in this list will + point to this controller, with the controller field + set to true. There cannot be more than one managing + controller. + type: array + items: + description: >- + OwnerReference contains enough information to let + you identify an owning object. An owning object + must be in the same namespace as the dependent, or + be cluster-scoped, so there is no namespace field. + type: object + required: + - apiVersion + - kind + - name + - uid + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: >- + If true, AND if the owner has the + "foregroundDeletion" finalizer, then the owner + cannot be deleted from the key-value store + until this reference is removed. See + https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with + this field and enforces the foreground + deletion. Defaults to false. To set this + field, a user needs "delete" permission of the + owner, otherwise 422 (Unprocessable Entity) + will be returned. + type: boolean + controller: + description: >- + If true, this reference points to the managing + controller. + type: boolean + kind: + description: >- + Kind of the referent. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: >- + Name of the referent. More info: + http://kubernetes.io/docs/user-guide/identifiers#names + type: string + uid: + description: >- + UID of the referent. More info: + http://kubernetes.io/docs/user-guide/identifiers#uids + type: string + x-kubernetes-map-type: atomic + spec: + description: >- + Specification of the desired behavior of the machine. + More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + type: object + properties: + lifecycleHooks: + description: >- + LifecycleHooks allow users to pause operations on + the machine at certain predefined points within the + machine lifecycle. + type: object + properties: + preDrain: + description: >- + PreDrain hooks prevent the machine from being + drained. This also blocks further lifecycle + events, such as termination. + type: array + items: + description: >- + LifecycleHook represents a single instance of + a lifecycle hook + type: object + required: + - name + - owner + properties: + name: + description: >- + Name defines a unique name for the + lifcycle hook. The name should be unique + and descriptive, ideally 1-3 words, in + CamelCase or it may be namespaced, eg. + foo.example.com/CamelCase. Names must be + unique and should only be managed by a + single entity. + type: string + maxLength: 256 + minLength: 3 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + owner: + description: >- + Owner defines the owner of the lifecycle + hook. This should be descriptive enough so + that users can identify who/what is + responsible for blocking the lifecycle. + This could be the name of a controller + (e.g. clusteroperator/etcd) or an + administrator managing the hook. + type: string + maxLength: 512 + minLength: 3 + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + preTerminate: + description: >- + PreTerminate hooks prevent the machine from + being terminated. PreTerminate hooks be actioned + after the Machine has been drained. + type: array + items: + description: >- + LifecycleHook represents a single instance of + a lifecycle hook + type: object + required: + - name + - owner + properties: + name: + description: >- + Name defines a unique name for the + lifcycle hook. The name should be unique + and descriptive, ideally 1-3 words, in + CamelCase or it may be namespaced, eg. + foo.example.com/CamelCase. Names must be + unique and should only be managed by a + single entity. + type: string + maxLength: 256 + minLength: 3 + pattern: >- + ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + owner: + description: >- + Owner defines the owner of the lifecycle + hook. This should be descriptive enough so + that users can identify who/what is + responsible for blocking the lifecycle. + This could be the name of a controller + (e.g. clusteroperator/etcd) or an + administrator managing the hook. + type: string + maxLength: 512 + minLength: 3 + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + metadata: + description: >- + ObjectMeta will autopopulate the Node created. Use + this to indicate what labels, annotations, name + prefix, etc., should be used when creating the Node. + type: object + properties: + annotations: + description: >- + Annotations is an unstructured key value map + stored with a resource that may be set by + external tools to store and retrieve arbitrary + metadata. They are not queryable and should be + preserved when modifying objects. More info: + http://kubernetes.io/docs/user-guide/annotations + type: object + additionalProperties: + type: string + generateName: + description: >- + GenerateName is an optional prefix, used by the + server, to generate a unique name ONLY IF the + Name field has not been provided. If this field + is used, the name returned to the client will be + different than the name passed. This value will + also be combined with a unique suffix. The + provided value has the same validation rules as + the Name field, and may be truncated by the + length of the suffix required to make the value + unique on the server. + If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency + type: string + labels: + description: >- + Map of string keys and values that can be used + to organize and categorize (scope and select) + objects. May match selectors of replication + controllers and services. More info: + http://kubernetes.io/docs/user-guide/labels + type: object + additionalProperties: + type: string + name: + description: >- + Name must be unique within a namespace. Is + required when creating resources, although some + resources may allow a client to request the + generation of an appropriate name automatically. + Name is primarily intended for creation + idempotence and configuration definition. Cannot + be updated. More info: + http://kubernetes.io/docs/user-guide/identifiers#names + type: string + namespace: + description: >- + Namespace defines the space within each name + must be unique. An empty namespace is equivalent + to the "default" namespace, but "default" is the + canonical representation. Not all objects are + required to be scoped to a namespace - the value + of this field for those objects will be empty. + Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces + type: string + ownerReferences: + description: >- + List of objects depended by this object. If ALL + objects in the list have been deleted, this + object will be garbage collected. If this object + is managed by a controller, then an entry in + this list will point to this controller, with + the controller field set to true. There cannot + be more than one managing controller. + type: array + items: + description: >- + OwnerReference contains enough information to + let you identify an owning object. An owning + object must be in the same namespace as the + dependent, or be cluster-scoped, so there is + no namespace field. + type: object + required: + - apiVersion + - kind + - name + - uid + properties: + apiVersion: + description: API version of the referent. + type: string + blockOwnerDeletion: + description: >- + If true, AND if the owner has the + "foregroundDeletion" finalizer, then the + owner cannot be deleted from the key-value + store until this reference is removed. See + https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts + with this field and enforces the + foreground deletion. Defaults to false. To + set this field, a user needs "delete" + permission of the owner, otherwise 422 + (Unprocessable Entity) will be returned. + type: boolean + controller: + description: >- + If true, this reference points to the + managing controller. + type: boolean + kind: + description: >- + Kind of the referent. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: >- + Name of the referent. More info: + http://kubernetes.io/docs/user-guide/identifiers#names + type: string + uid: + description: >- + UID of the referent. More info: + http://kubernetes.io/docs/user-guide/identifiers#uids + type: string + x-kubernetes-map-type: atomic + providerID: + description: >- + ProviderID is the identification ID of the machine + provided by the provider. This field must match the + provider ID as seen on the node object corresponding + to this machine. This field is required by higher + level consumers of cluster-api. Example use case is + cluster autoscaler with cluster-api as provider. + Clean-up logic in the autoscaler compares machines + to nodes to find out machines at provider which + could not get registered as Kubernetes nodes. With + cluster-api as a generic out-of-tree provider for + autoscaler, this field is required by autoscaler to + be able to have a provider view of the list of + machines. Another list of nodes is queried from the + k8s apiserver and then a comparison is done to find + out unregistered machines and are marked for delete. + This field will be set by the actuators and consumed + by higher level entities like autoscaler that will + be interfacing with cluster-api as generic provider. + type: string + providerSpec: + description: >- + ProviderSpec details Provider-specific configuration + to use during node creation. + type: object + properties: + value: + description: >- + Value is an inlined, serialized representation + of the resource configuration. It is recommended + that providers maintain their own versioned API + types that should be serialized/deserialized + from this field, akin to component config. + type: object + x-kubernetes-preserve-unknown-fields: true + taints: + description: >- + The list of the taints to be applied to the + corresponding Node in additive manner. This list + will not overwrite any other taints added to the + Node on an ongoing basis by other entities. These + taints should be actively reconciled e.g. if you ask + the machine controller to apply a taint and then + manually remove the taint the machine controller + will put it back) but not have the machine + controller remove any taints + type: array + items: + description: >- + The node this Taint is attached to has the + "effect" on any pod that does not tolerate the + Taint. + type: object + required: + - effect + - key + properties: + effect: + description: >- + Required. The effect of the taint on pods that + do not tolerate the taint. Valid effects are + NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: >- + Required. The taint key to be applied to a + node. + type: string + timeAdded: + description: >- + TimeAdded represents the time at which the + taint was added. It is only written for + NoExecute taints. + type: string + format: date-time + value: + description: >- + The taint value corresponding to the taint + key. + type: string + status: + description: MachineSetStatus defines the observed state of MachineSet + type: object + properties: + availableReplicas: + description: >- + The number of available replicas (ready for at least + minReadySeconds) for this MachineSet. + type: integer + format: int32 + errorMessage: + type: string + errorReason: + description: >- + In the event that there is a terminal problem reconciling + the replicas, both ErrorReason and ErrorMessage will be set. + ErrorReason will be populated with a succinct value suitable + for machine interpretation, while ErrorMessage will contain + a more verbose string suitable for logging and human + consumption. + These fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured. + Any transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output. + type: string + fullyLabeledReplicas: + description: >- + The number of replicas that have labels matching the labels + of the machine template of the MachineSet. + type: integer + format: int32 + observedGeneration: + description: >- + ObservedGeneration reflects the generation of the most + recently observed MachineSet. + type: integer + format: int64 + readyReplicas: + description: >- + The number of ready replicas for this MachineSet. A machine + is considered ready when the node has been created and is + "Ready". + type: integer + format: int32 + replicas: + description: Replicas is the most recently observed number of replicas. + type: integer + format: int32 + subresources: + status: {} + scale: + specReplicasPath: .spec.replicas + statusReplicasPath: .status.replicas + labelSelectorPath: .status.labelSelector + additionalPrinterColumns: + - name: Desired + type: integer + description: Desired Replicas + jsonPath: .spec.replicas + - name: Current + type: integer + description: Current Replicas + jsonPath: .status.replicas + - name: Ready + type: integer + description: Ready Replicas + jsonPath: .status.readyReplicas + - name: Available + type: string + description: Observed number of available replicas + jsonPath: .status.availableReplicas + - name: Age + type: date + description: Machineset age + jsonPath: .metadata.creationTimestamp + conversion: + strategy: None \ No newline at end of file diff --git a/CRDs/mesh.yaml b/CRDs/mesh.yaml new file mode 100644 index 000000000..b3a1c1b72 --- /dev/null +++ b/CRDs/mesh.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + generation: 1 + name: meshes.consul.hashicorp.com +spec: + conversion: + strategy: None + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/CRDs/openshift.yaml b/CRDs/openshift.yaml new file mode 100644 index 000000000..e58531a7b --- /dev/null +++ b/CRDs/openshift.yaml @@ -0,0 +1,34 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: routes.route.openshift.io +spec: + group: route.openshift.io + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Host + type: string + jsonPath: .status.ingress[0].host + - name: Admitted + type: string + jsonPath: .status.ingress[0].conditions[?(@.type=="Admitted")].status + - name: Service + type: string + jsonPath: .spec.to.name + - name: TLS + type: string + jsonPath: .spec.tls.type + subresources: + status: {} + scope: Namespaced + names: + plural: routes + singular: route + kind: Route \ No newline at end of file diff --git a/CRDs/pipelinerun.yaml b/CRDs/pipelinerun.yaml new file mode 100644 index 000000000..93f996f43 --- /dev/null +++ b/CRDs/pipelinerun.yaml @@ -0,0 +1,76 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: pipelineruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + subresources: + status: {} + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + subresources: + status: {} + names: + kind: PipelineRun + plural: pipelineruns + singular: pipelinerun + categories: + - tekton + - tekton-pipelines + shortNames: + - pr + - prs + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines \ No newline at end of file diff --git a/CRDs/restore.yaml b/CRDs/restore.yaml new file mode 100644 index 000000000..97b67f52a --- /dev/null +++ b/CRDs/restore.yaml @@ -0,0 +1,481 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + component: velero + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + name: restores.velero.io +spec: + group: velero.io + names: + kind: Restore + listKind: RestoreList + plural: restores + singular: restore + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Restore is a Velero resource that represents the application + of resources from a Velero backup to a target Kubernetes cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RestoreSpec defines the specification for a Velero restore. + properties: + backupName: + description: BackupName is the unique name of the Velero backup to + restore from. + type: string + excludedNamespaces: + description: ExcludedNamespaces contains a list of namespaces that + are not included in the restore. + items: + type: string + nullable: true + type: array + excludedResources: + description: ExcludedResources is a slice of resource names that are + not included in the restore. + items: + type: string + nullable: true + type: array + existingResourcePolicy: + description: ExistingResourcePolicy specifies the restore behavior + for the kubernetes resource to be restored + nullable: true + type: string + hooks: + description: Hooks represent custom behaviors that should be executed + during or post restore. + properties: + resources: + items: + description: RestoreResourceHookSpec defines one or more RestoreResrouceHooks + that should be executed based on the rules defined for namespaces, + resources, and label selector. + properties: + excludedNamespaces: + description: ExcludedNamespaces specifies the namespaces + to which this hook spec does not apply. + items: + type: string + nullable: true + type: array + excludedResources: + description: ExcludedResources specifies the resources to + which this hook spec does not apply. + items: + type: string + nullable: true + type: array + includedNamespaces: + description: IncludedNamespaces specifies the namespaces + to which this hook spec applies. If empty, it applies + to all namespaces. + items: + type: string + nullable: true + type: array + includedResources: + description: IncludedResources specifies the resources to + which this hook spec applies. If empty, it applies to + all resources. + items: + type: string + nullable: true + type: array + labelSelector: + description: LabelSelector, if specified, filters the resources + to which this hook spec applies. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: Name is the name of this hook. + type: string + postHooks: + description: PostHooks is a list of RestoreResourceHooks + to execute during and after restoring a resource. + items: + description: RestoreResourceHook defines a restore hook + for a resource. + properties: + exec: + description: Exec defines an exec restore hook. + properties: + command: + description: Command is the command and arguments + to execute from within a container after a pod + has been restored. + items: + type: string + minItems: 1 + type: array + container: + description: Container is the container in the + pod where the command should be executed. If + not specified, the pod's first container is + used. + type: string + execTimeout: + description: ExecTimeout defines the maximum amount + of time Velero should wait for the hook to complete + before considering the execution a failure. + type: string + onError: + description: OnError specifies how Velero should + behave if it encounters an error executing this + hook. + enum: + - Continue + - Fail + type: string + waitTimeout: + description: WaitTimeout defines the maximum amount + of time Velero should wait for the container + to be Ready before attempting to run the command. + type: string + required: + - command + type: object + init: + description: Init defines an init restore hook. + properties: + initContainers: + description: InitContainers is list of init containers + to be added to a pod during its restore. + items: + type: object + type: array + x-kubernetes-preserve-unknown-fields: true + timeout: + description: Timeout defines the maximum amount + of time Velero should wait for the initContainers + to complete. + type: string + type: object + type: object + type: array + required: + - name + type: object + type: array + type: object + includeClusterResources: + description: IncludeClusterResources specifies whether cluster-scoped + resources should be included for consideration in the restore. If + null, defaults to true. + nullable: true + type: boolean + includedNamespaces: + description: IncludedNamespaces is a slice of namespace names to include + objects from. If empty, all namespaces are included. + items: + type: string + nullable: true + type: array + includedResources: + description: IncludedResources is a slice of resource names to include + in the restore. If empty, all resources in the backup are included. + items: + type: string + nullable: true + type: array + itemOperationTimeout: + description: ItemOperationTimeout specifies the time used to wait + for RestoreItemAction operations The default value is 1 hour. + type: string + labelSelector: + description: LabelSelector is a metav1.LabelSelector to filter with + when restoring individual objects from the backup. If empty or nil, + all objects are included. Optional. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + namespaceMapping: + additionalProperties: + type: string + description: NamespaceMapping is a map of source namespace names to + target namespace names to restore into. Any source namespaces not + included in the map will be restored into namespaces of the same + name. + type: object + orLabelSelectors: + description: OrLabelSelectors is list of metav1.LabelSelector to filter + with when restoring individual objects from the backup. If multiple + provided they will be joined by the OR operator. LabelSelector as + well as OrLabelSelectors cannot co-exist in restore request, only + one of them can be used + items: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An empty + label selector matches all objects. A null label selector matches + no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + nullable: true + type: array + preserveNodePorts: + description: PreserveNodePorts specifies whether to restore old nodePorts + from backup. + nullable: true + type: boolean + restorePVs: + description: RestorePVs specifies whether to restore all included + PVs from snapshot + nullable: true + type: boolean + restoreStatus: + description: RestoreStatus specifies which resources we should restore + the status field. If nil, no objects are included. Optional. + nullable: true + properties: + excludedResources: + description: ExcludedResources specifies the resources to which + will not restore the status. + items: + type: string + nullable: true + type: array + includedResources: + description: IncludedResources specifies the resources to which + will restore the status. If empty, it applies to all resources. + items: + type: string + nullable: true + type: array + type: object + scheduleName: + description: ScheduleName is the unique name of the Velero schedule + to restore from. If specified, and BackupName is empty, Velero will + restore from the most recent successful backup created from this + schedule. + type: string + required: + - backupName + type: object + status: + description: RestoreStatus captures the current status of a Velero restore + properties: + completionTimestamp: + description: CompletionTimestamp records the time the restore operation + was completed. Completion time is recorded even on failed restore. + The server's time is used for StartTimestamps + format: date-time + nullable: true + type: string + errors: + description: Errors is a count of all error messages that were generated + during execution of the restore. The actual errors are stored in + object storage. + type: integer + failureReason: + description: FailureReason is an error that caused the entire restore + to fail. + type: string + phase: + description: Phase is the current state of the Restore + enum: + - New + - FailedValidation + - InProgress + - WaitingForPluginOperations + - WaitingForPluginOperationsPartiallyFailed + - Completed + - PartiallyFailed + - Failed + type: string + progress: + description: Progress contains information about the restore's execution + progress. Note that this information is best-effort only -- if Velero + fails to update it during a restore for any reason, it may be inaccurate/stale. + nullable: true + properties: + itemsRestored: + description: ItemsRestored is the number of items that have actually + been restored so far + type: integer + totalItems: + description: TotalItems is the total number of items to be restored. + This number may change throughout the execution of the restore + due to plugins that return additional related items to restore + type: integer + type: object + restoreItemOperationsAttempted: + description: RestoreItemOperationsAttempted is the total number of + attempted async RestoreItemAction operations for this restore. + type: integer + restoreItemOperationsCompleted: + description: RestoreItemOperationsCompleted is the total number of + successfully completed async RestoreItemAction operations for this + restore. + type: integer + restoreItemOperationsFailed: + description: RestoreItemOperationsFailed is the total number of async + RestoreItemAction operations for this restore which ended with an + error. + type: integer + startTimestamp: + description: StartTimestamp records the time the restore operation + was started. The server's time is used for StartTimestamps + format: date-time + nullable: true + type: string + validationErrors: + description: ValidationErrors is a slice of all validation errors + (if applicable) + items: + type: string + nullable: true + type: array + warnings: + description: Warnings is a count of all warning messages that were + generated during execution of the restore. The actual warnings are + stored in object storage. + type: integer + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/CRDs/schedule.yaml b/CRDs/schedule.yaml new file mode 100644 index 000000000..9e5084ada --- /dev/null +++ b/CRDs/schedule.yaml @@ -0,0 +1,552 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + component: velero + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + name: schedules.velero.io +spec: + group: velero.io + names: + kind: Schedule + listKind: ScheduleList + plural: schedules + singular: schedule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Status of the schedule + jsonPath: .status.phase + name: Status + type: string + - description: A Cron expression defining when to run the Backup + jsonPath: .spec.schedule + name: Schedule + type: string + - description: The last time a Backup was run for this schedule + jsonPath: .status.lastBackup + name: LastBackup + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.paused + name: Paused + type: boolean + name: v1 + schema: + openAPIV3Schema: + description: Schedule is a Velero resource that represents a pre-scheduled + or periodic Backup that should be run. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScheduleSpec defines the specification for a Velero schedule + properties: + paused: + description: Paused specifies whether the schedule is paused or not + type: boolean + schedule: + description: Schedule is a Cron expression defining when to run the + Backup. + type: string + template: + description: Template is the definition of the Backup to be run on + the provided schedule + properties: + csiSnapshotTimeout: + description: CSISnapshotTimeout specifies the time used to wait + for CSI VolumeSnapshot status turns to ReadyToUse during creation, + before returning error as timeout. The default value is 10 minute. + type: string + defaultVolumesToFsBackup: + description: DefaultVolumesToFsBackup specifies whether pod volume + file system backup should be used for all volumes by default. + nullable: true + type: boolean + defaultVolumesToRestic: + description: "DefaultVolumesToRestic specifies whether restic + should be used to take a backup of all pod volumes by default. + \n Deprecated: this field is no longer used and will be removed + entirely in future. Use DefaultVolumesToFsBackup instead." + nullable: true + type: boolean + excludedClusterScopedResources: + description: ExcludedClusterScopedResources is a slice of cluster-scoped + resource type names to exclude from the backup. If set to "*", + all cluster-scoped resource types are excluded. The default + value is empty. + items: + type: string + nullable: true + type: array + excludedNamespaceScopedResources: + description: ExcludedNamespaceScopedResources is a slice of namespace-scoped + resource type names to exclude from the backup. If set to "*", + all namespace-scoped resource types are excluded. The default + value is empty. + items: + type: string + nullable: true + type: array + excludedNamespaces: + description: ExcludedNamespaces contains a list of namespaces + that are not included in the backup. + items: + type: string + nullable: true + type: array + excludedResources: + description: ExcludedResources is a slice of resource names that + are not included in the backup. + items: + type: string + nullable: true + type: array + hooks: + description: Hooks represent custom behaviors that should be executed + at different phases of the backup. + properties: + resources: + description: Resources are hooks that should be executed when + backing up individual instances of a resource. + items: + description: BackupResourceHookSpec defines one or more + BackupResourceHooks that should be executed based on the + rules defined for namespaces, resources, and label selector. + properties: + excludedNamespaces: + description: ExcludedNamespaces specifies the namespaces + to which this hook spec does not apply. + items: + type: string + nullable: true + type: array + excludedResources: + description: ExcludedResources specifies the resources + to which this hook spec does not apply. + items: + type: string + nullable: true + type: array + includedNamespaces: + description: IncludedNamespaces specifies the namespaces + to which this hook spec applies. If empty, it applies + to all namespaces. + items: + type: string + nullable: true + type: array + includedResources: + description: IncludedResources specifies the resources + to which this hook spec applies. If empty, it applies + to all resources. + items: + type: string + nullable: true + type: array + labelSelector: + description: LabelSelector, if specified, filters the + resources to which this hook spec applies. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + name: + description: Name is the name of this hook. + type: string + post: + description: PostHooks is a list of BackupResourceHooks + to execute after storing the item in the backup. These + are executed after all "additional items" from item + actions are processed. + items: + description: BackupResourceHook defines a hook for + a resource. + properties: + exec: + description: Exec defines an exec hook. + properties: + command: + description: Command is the command and arguments + to execute. + items: + type: string + minItems: 1 + type: array + container: + description: Container is the container in + the pod where the command should be executed. + If not specified, the pod's first container + is used. + type: string + onError: + description: OnError specifies how Velero + should behave if it encounters an error + executing this hook. + enum: + - Continue + - Fail + type: string + timeout: + description: Timeout defines the maximum amount + of time Velero should wait for the hook + to complete before considering the execution + a failure. + type: string + required: + - command + type: object + required: + - exec + type: object + type: array + pre: + description: PreHooks is a list of BackupResourceHooks + to execute prior to storing the item in the backup. + These are executed before any "additional items" from + item actions are processed. + items: + description: BackupResourceHook defines a hook for + a resource. + properties: + exec: + description: Exec defines an exec hook. + properties: + command: + description: Command is the command and arguments + to execute. + items: + type: string + minItems: 1 + type: array + container: + description: Container is the container in + the pod where the command should be executed. + If not specified, the pod's first container + is used. + type: string + onError: + description: OnError specifies how Velero + should behave if it encounters an error + executing this hook. + enum: + - Continue + - Fail + type: string + timeout: + description: Timeout defines the maximum amount + of time Velero should wait for the hook + to complete before considering the execution + a failure. + type: string + required: + - command + type: object + required: + - exec + type: object + type: array + required: + - name + type: object + nullable: true + type: array + type: object + includeClusterResources: + description: IncludeClusterResources specifies whether cluster-scoped + resources should be included for consideration in the backup. + nullable: true + type: boolean + includedClusterScopedResources: + description: IncludedClusterScopedResources is a slice of cluster-scoped + resource type names to include in the backup. If set to "*", + all cluster-scoped resource types are included. The default + value is empty, which means only related cluster-scoped resources + are included. + items: + type: string + nullable: true + type: array + includedNamespaceScopedResources: + description: IncludedNamespaceScopedResources is a slice of namespace-scoped + resource type names to include in the backup. The default value + is "*". + items: + type: string + nullable: true + type: array + includedNamespaces: + description: IncludedNamespaces is a slice of namespace names + to include objects from. If empty, all namespaces are included. + items: + type: string + nullable: true + type: array + includedResources: + description: IncludedResources is a slice of resource names to + include in the backup. If empty, all resources are included. + items: + type: string + nullable: true + type: array + itemOperationTimeout: + description: ItemOperationTimeout specifies the time used to wait + for asynchronous BackupItemAction operations The default value + is 1 hour. + type: string + labelSelector: + description: LabelSelector is a metav1.LabelSelector to filter + with when adding individual objects to the backup. If empty + or nil, all objects are included. Optional. + nullable: true + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + metadata: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + orLabelSelectors: + description: OrLabelSelectors is list of metav1.LabelSelector + to filter with when adding individual objects to the backup. + If multiple provided they will be joined by the OR operator. + LabelSelector as well as OrLabelSelectors cannot co-exist in + backup request, only one of them can be used. + items: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + nullable: true + type: array + orderedResources: + additionalProperties: + type: string + description: OrderedResources specifies the backup order of resources + of specific Kind. The map key is the resource name and value + is a list of object names separated by commas. Each resource + name has format "namespace/objectname". For cluster resources, + simply use "objectname". + nullable: true + type: object + resourcePolicy: + description: ResourcePolicy specifies the referenced resource + policies that backup should follow + properties: + apiGroup: + description: APIGroup is the group for the resource being + referenced. If APIGroup is not specified, the specified + Kind must be in the core API group. For any other third-party + types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + snapshotVolumes: + description: SnapshotVolumes specifies whether to take snapshots + of any PV's referenced in the set of objects included in the + Backup. + nullable: true + type: boolean + storageLocation: + description: StorageLocation is a string containing the name of + a BackupStorageLocation where the backup should be stored. + type: string + ttl: + description: TTL is a time.Duration-parseable string describing + how long the Backup should be retained for. + type: string + volumeSnapshotLocations: + description: VolumeSnapshotLocations is a list containing names + of VolumeSnapshotLocations associated with this backup. + items: + type: string + type: array + type: object + useOwnerReferencesInBackup: + description: UseOwnerReferencesBackup specifies whether to use OwnerReferences + on backups created by this Schedule. + nullable: true + type: boolean + required: + - schedule + - template + type: object + status: + description: ScheduleStatus captures the current state of a Velero schedule + properties: + lastBackup: + description: LastBackup is the last time a Backup was run for this + Schedule schedule + format: date-time + nullable: true + type: string + phase: + description: Phase is the current phase of the Schedule + enum: + - New + - Enabled + - FailedValidation + type: string + validationErrors: + description: ValidationErrors is a slice of all validation errors + (if applicable) + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/CRDs/taskrun.yaml b/CRDs/taskrun.yaml new file mode 100644 index 000000000..622fce139 --- /dev/null +++ b/CRDs/taskrun.yaml @@ -0,0 +1,76 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: taskruns.tekton.dev + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines + pipeline.tekton.dev/release: "devel" + version: "devel" +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + subresources: + status: {} + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + subresources: + status: {} + names: + kind: TaskRun + plural: taskruns + singular: taskrun + categories: + - tekton + - tekton-pipelines + shortNames: + - tr + - trs + scope: Namespaced + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1beta1", "v1"] + clientConfig: + service: + name: tekton-pipelines-webhook + namespace: tekton-pipelines \ No newline at end of file diff --git a/CRDs/tlsoption.yaml b/CRDs/tlsoption.yaml new file mode 100644 index 000000000..0808b17d7 --- /dev/null +++ b/CRDs/tlsoption.yaml @@ -0,0 +1,35 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tlsoptions.traefik.containo.us +spec: + group: traefik.containo.us + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - name: Succeeded + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Succeeded\")].reason" + - name: StartTime + type: date + jsonPath: .status.startTime + - name: CompletionTime + type: date + jsonPath: .status.completionTime + subresources: + status: {} + names: + kind: TLSOption + plural: tlsoptions + singular: tlsoption + scope: Namespaced \ No newline at end of file diff --git a/README.md b/README.md index 941d42653..e02f39399 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ Anyone and everyone is welcome to write and contribute Kyverno policies! We have * Use dashes for folder name and policy name instead of underscores. -* When updating a policy already in the library, calculate the new sha256 sum of the changed policy and update the `artifacthub-pkg.yml` file's `digest` field with this value. This is to ensure Artifact Hub picks up the changes once merged. Note that because of validation checks in Kyverno's CI processes, it expects the digest to have been generated on a Linux system. Due to the differences of control characters, a digest generated from a Windows system may be different from that generated in Linux. +* When updating a policy already in the library, calculate the new sha256 sum of the changed policy and update the `artifacthub-pkg.yml` file's `digest` field with this value. This is to ensure Artifact Hub picks up the changes once merged. Once your policy is written within these guidelines and tested, please open a standard PR against the `main` branch of kyverno/policies. In order for a policy to make it to the website's [policies page](https://kyverno.io/policies/), it must first be committed to the `main` branch in this repo. Following that, an administrator will render these policies to produce Markdown files in a second PR. You do not need to worry about this process, however. @@ -59,7 +59,7 @@ metadata: policies.kyverno.io/description: >- Adding capabilities beyond those listed in the policy must be disallowed. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: my-rule-name @@ -124,3 +124,4 @@ If you're not yet comfortable with Kyverno and would like to see a policy that m * Be responsive to the GitHub issue if further follow-up is required by the contributors or maintainers. Having this information up front will assist others in crafting a policy to meet your needs. + diff --git a/argo-cel/application-field-validation/.chainsaw-test/README.md b/argo-cel/application-field-validation/.chainsaw-test/README.md deleted file mode 100644 index 56a15f374..000000000 --- a/argo-cel/application-field-validation/.chainsaw-test/README.md +++ /dev/null @@ -1,15 +0,0 @@ -## Description - -This is an automated test of the sample policy in this directory. - -## Expected Behavior - -A policy report should be generated in which the following results are observed: - -* `badapp01` fails for the rule `source-path-chart` and passes for the rule `destination-server-name` -* `badapp02` fails for the rule `destination-server-name` and passes for the rule `source-path-chart` -* `goodapp01` passes for both rules - -## Reference Issue(s) - -N/A diff --git a/argo-cel/application-field-validation/.chainsaw-test/bad-application.yaml b/argo-cel/application-field-validation/.chainsaw-test/bad-application.yaml deleted file mode 100644 index d4f36b1be..000000000 --- a/argo-cel/application-field-validation/.chainsaw-test/bad-application.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: badapp01 - namespace: default -spec: - project: foo - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - chart: foo - destination: - server: https://kubernetes.default.svc - namespace: guestbook ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: badapp02 - namespace: default -spec: - project: bar - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - destination: - server: https://kubernetes.default.svc - name: foobar - namespace: guestbook \ No newline at end of file diff --git a/argo-cel/application-field-validation/.chainsaw-test/chainsaw-test.yaml b/argo-cel/application-field-validation/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2a38d20ec..000000000 --- a/argo-cel/application-field-validation/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: application-field-validation -spec: - steps: - - name: step-01 - try: - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ../application-field-validation.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: application-field-validation - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: good-application.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-application.yaml diff --git a/argo-cel/application-field-validation/.chainsaw-test/crd-assert.yaml b/argo-cel/application-field-validation/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index c7e226c05..000000000 --- a/argo-cel/application-field-validation/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: applications.argoproj.io -spec: {} -status: - acceptedNames: - kind: Application - listKind: ApplicationList - plural: applications - singular: application - storedVersions: - - v1alpha1 diff --git a/argo-cel/application-field-validation/.chainsaw-test/good-application.yaml b/argo-cel/application-field-validation/.chainsaw-test/good-application.yaml deleted file mode 100644 index 9ba4a2543..000000000 --- a/argo-cel/application-field-validation/.chainsaw-test/good-application.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: goodapp01 - namespace: default -spec: - project: biz - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - destination: - server: https://kubernetes.default.svc - namespace: guestbook diff --git a/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml b/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 6dc354021..000000000 --- a/argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: application-field-validation -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/argo-cel/application-field-validation/.kyverno-test/kyverno-test.yaml b/argo-cel/application-field-validation/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index d7294f2fa..000000000 --- a/argo-cel/application-field-validation/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: application-field-validation -policies: -- ../application-field-validation.yaml -resources: -- ../.chainsaw-test/bad-application.yaml -- ../.chainsaw-test/good-application.yaml -results: -- policy: application-field-validation - rule: source-path-chart - kind: Application - resources: - - badapp01 - result: fail -- policy: application-field-validation - rule: destination-server-name - kind: Application - resources: - - badapp02 - result: fail -- policy: application-field-validation - rule: source-path-chart - kind: Application - resources: - - goodapp01 - result: pass -- policy: application-field-validation - rule: destination-server-name - kind: Application - resources: - - goodapp01 - result: pass - diff --git a/argo-cel/application-field-validation/application-field-validation.yaml b/argo-cel/application-field-validation/application-field-validation.yaml deleted file mode 100644 index a55686d65..000000000 --- a/argo-cel/application-field-validation/application-field-validation.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: application-field-validation - annotations: - policies.kyverno.io/title: Application Field Validation in CEL expressions - policies.kyverno.io/category: Argo in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Application - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - This policy performs some best practices validation on Application fields. - Path or chart must be specified but never both. And destination.name or - destination.server must be specified but never both. -spec: - validationFailureAction: Audit - background: true - rules: - - name: source-path-chart - match: - any: - - resources: - kinds: - - Application - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - has(object.spec.source) && - ( - (has(object.spec.source.path) && !has(object.spec.source.chart)) || - (!has(object.spec.source.path) && has(object.spec.source.chart)) - ) - message: >- - `spec.source.path` OR `spec.source.chart` should be specified but never both. - - name: destination-server-name - match: - any: - - resources: - kinds: - - Application - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - has(object.spec.destination) && - ( - (has(object.spec.destination.server) && !has(object.spec.destination.name)) || - (!has(object.spec.destination.server) && has(object.spec.destination.name)) - ) - message: >- - `spec.destination.server` OR `spec.destination.name` should be specified but never both. - diff --git a/argo-cel/application-field-validation/artifacthub-pkg.yml b/argo-cel/application-field-validation/artifacthub-pkg.yml deleted file mode 100644 index 0bbf6cbc0..000000000 --- a/argo-cel/application-field-validation/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: application-field-validation-cel -version: 1.0.0 -displayName: Application Field Validation in CEL expressions -description: >- - This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/argo-cel/application-field-validation/application-field-validation.yaml - ``` -keywords: - - kyverno - - Argo - - CEL Expressions -readme: | - This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Argo in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Application" -digest: e3256994e09731ea081230c85e0d6384a187d53377562b1c82ea9385cec0c4a4 -createdAt: "2024-04-30T15:34:03Z" diff --git a/argo-cel/application-prevent-default-project/.chainsaw-test/bad-application.yaml b/argo-cel/application-prevent-default-project/.chainsaw-test/bad-application.yaml deleted file mode 100644 index f533ed401..000000000 --- a/argo-cel/application-prevent-default-project/.chainsaw-test/bad-application.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: badapp - namespace: default -spec: - project: default - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - destination: - server: https://kubernetes.default.svc - namespace: guestbook diff --git a/argo-cel/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml b/argo-cel/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index f54e9fae4..000000000 --- a/argo-cel/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: application-prevent-default-project -spec: - steps: - - name: step-01 - try: - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ../application-prevent-default-project.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: application-prevent-default-project - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: good-application.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-application.yaml diff --git a/argo-cel/application-prevent-default-project/.chainsaw-test/crd-assert.yaml b/argo-cel/application-prevent-default-project/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index c7e226c05..000000000 --- a/argo-cel/application-prevent-default-project/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: applications.argoproj.io -spec: {} -status: - acceptedNames: - kind: Application - listKind: ApplicationList - plural: applications - singular: application - storedVersions: - - v1alpha1 diff --git a/argo-cel/application-prevent-default-project/.chainsaw-test/good-application.yaml b/argo-cel/application-prevent-default-project/.chainsaw-test/good-application.yaml deleted file mode 100644 index e0d134e68..000000000 --- a/argo-cel/application-prevent-default-project/.chainsaw-test/good-application.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: goodapp - namespace: default -spec: - project: biz - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - destination: - server: https://kubernetes.default.svc - namespace: guestbook diff --git a/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml b/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index cbef78483..000000000 --- a/argo-cel/application-prevent-default-project/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: application-prevent-default-project -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/argo-cel/application-prevent-default-project/.kyverno-test/kyverno-test.yaml b/argo-cel/application-prevent-default-project/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index ee4fb0f4d..000000000 --- a/argo-cel/application-prevent-default-project/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: application-prevent-default-project -policies: -- ../application-prevent-default-project.yaml -resources: -- ../.chainsaw-test/bad-application.yaml -- ../.chainsaw-test/good-application.yaml -results: -- policy: application-prevent-default-project - rule: default-project - kind: Application - resources: - - badapp - result: fail -- policy: application-prevent-default-project - rule: default-project - kind: Application - resources: - - goodapp - result: pass - diff --git a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml b/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml deleted file mode 100644 index 7a45796b5..000000000 --- a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: application-prevent-default-project - annotations: - policies.kyverno.io/title: Prevent Use of Default Project in CEL expressions - policies.kyverno.io/category: Argo in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Application - policies.kyverno.io/description: >- - This policy prevents the use of the default project in an Application. -spec: - validationFailureAction: Audit - background: true - rules: - - name: default-project - match: - any: - - resources: - kinds: - - Application - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.?project.orValue('') != 'default'" - message: "The default project may not be used in an Application." - diff --git a/argo-cel/application-prevent-default-project/artifacthub-pkg.yml b/argo-cel/application-prevent-default-project/artifacthub-pkg.yml deleted file mode 100644 index 8c9ed67c6..000000000 --- a/argo-cel/application-prevent-default-project/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: application-prevent-default-project-cel -version: 1.0.0 -displayName: Prevent Use of Default Project in CEL expressions -description: >- - This policy prevents the use of the default project in an Application. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml - ``` -keywords: - - kyverno - - Argo - - CEL Expressions -readme: | - This policy prevents the use of the default project in an Application. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Argo in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Application" -digest: 30a66468036d5a7d5f63e5581d7a4dbb33f6d93ecdfca566f9a465b11d441acb -createdAt: "2024-04-30T16:03:57Z" - diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/application-bad-update.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/application-bad-update.yaml deleted file mode 100644 index 840d951d0..000000000 --- a/argo-cel/application-prevent-updates-project/.chainsaw-test/application-bad-update.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: goodapp - namespace: default -spec: - project: newbiz - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - destination: - server: https://kubernetes.default.svc - namespace: guestbook diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/application-update.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/application-update.yaml deleted file mode 100644 index 7c3202cbc..000000000 --- a/argo-cel/application-prevent-updates-project/.chainsaw-test/application-update.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: goodapp - namespace: default -spec: - project: biz - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: book - destination: - server: https://kubernetes.default.svc - namespace: book diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/application.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/application.yaml deleted file mode 100644 index e0d134e68..000000000 --- a/argo-cel/application-prevent-updates-project/.chainsaw-test/application.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: goodapp - namespace: default -spec: - project: biz - source: - repoURL: https://github.com/argoproj/argocd-example-apps.git - targetRevision: HEAD - path: guestbook - destination: - server: https://kubernetes.default.svc - namespace: guestbook diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 1e8dbd46f..000000000 --- a/argo-cel/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: application-prevent-updates-project -spec: - steps: - - name: step-01 - try: - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ../application-prevent-updates-project.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: application-prevent-updates-project - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: application.yaml - - apply: - file: application-update.yaml - - apply: - expect: - - check: - ($error != null): true - file: application-bad-update.yaml diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/crd-assert.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index c7e226c05..000000000 --- a/argo-cel/application-prevent-updates-project/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: applications.argoproj.io -spec: {} -status: - acceptedNames: - kind: Application - listKind: ApplicationList - plural: applications - singular: application - storedVersions: - - v1alpha1 diff --git a/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml b/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 24cddb73a..000000000 --- a/argo-cel/application-prevent-updates-project/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: application-prevent-updates-project -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml deleted file mode 100644 index c1d6f50bf..000000000 --- a/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: application-prevent-updates-project - annotations: - policies.kyverno.io/title: Prevent Updates to Project in CEL expressions - policies.kyverno.io/category: Argo in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.12.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Application - policies.kyverno.io/description: >- - This policy prevents updates to the project field after an Application is created. -spec: - validationFailureAction: Audit - background: true - rules: - - name: project-updates - match: - any: - - resources: - kinds: - - Application - celPreconditions: - - name: "operation-should-be-update" - expression: "request.operation == 'UPDATE'" - validate: - cel: - expressions: - - expression: "object.spec.project == oldObject.spec.project" - message: "The spec.project cannot be changed once the Application is created." - diff --git a/argo-cel/application-prevent-updates-project/artifacthub-pkg.yml b/argo-cel/application-prevent-updates-project/artifacthub-pkg.yml deleted file mode 100644 index f69ab2037..000000000 --- a/argo-cel/application-prevent-updates-project/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: application-prevent-updates-project-cel -version: 1.0.0 -displayName: Prevent Updates to Project in CEL expressions -description: >- - This policy prevents updates to the project field after an Application is created. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml - ``` -keywords: - - kyverno - - Argo - - CEL Expressions -readme: | - This policy prevents updates to the project field after an Application is created. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Argo in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Application" -digest: a9aebf68a690cd9b5683fd24dc26dc0949d0ee1c122a153bd417f9e6d4a2b47a -createdAt: "2024-05-01T17:10:46Z" - diff --git a/argo-cel/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml b/argo-cel/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml deleted file mode 100644 index 5814ffcce..000000000 --- a/argo-cel/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: bad-guestbook -spec: - generators: - - list: - elements: - - cluster: engineering-dev - url: https://1.2.3.4 - - cluster: engineering-prod - url: https://2.4.6.8 - template: - metadata: - name: '{{cluster}}-guestbook' - spec: - project: not-guestbook - source: - repoURL: https://github.com/infra-team/cluster-deployments.git - targetRevision: HEAD - path: guestbook/{{cluster}} - destination: - server: '{{url}}' - namespace: guestbook \ No newline at end of file diff --git a/argo-cel/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml b/argo-cel/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 05a65d0ad..000000000 --- a/argo-cel/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: applicationset-name-matches-project -spec: - steps: - - name: step-01 - try: - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ../applicationset-name-matches-project.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: applicationset-name-matches-project - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: good-appset.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-appset.yaml diff --git a/argo-cel/applicationset-name-matches-project/.chainsaw-test/crd-assert.yaml b/argo-cel/applicationset-name-matches-project/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 2d1a65c97..000000000 --- a/argo-cel/applicationset-name-matches-project/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: applicationsets.argoproj.io -spec: {} -status: - acceptedNames: - kind: ApplicationSet - listKind: ApplicationSetList - plural: applicationsets - singular: applicationset - storedVersions: - - v1alpha1 diff --git a/argo-cel/applicationset-name-matches-project/.chainsaw-test/good-appset.yaml b/argo-cel/applicationset-name-matches-project/.chainsaw-test/good-appset.yaml deleted file mode 100644 index cb57f79bb..000000000 --- a/argo-cel/applicationset-name-matches-project/.chainsaw-test/good-appset.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: guestbook -spec: - generators: - - list: - elements: - - cluster: engineering-dev - url: https://1.2.3.4 - - cluster: engineering-prod - url: https://2.4.6.8 - template: - metadata: - name: '{{cluster}}-guestbook' - spec: - project: guestbook - source: - repoURL: https://github.com/infra-team/cluster-deployments.git - targetRevision: HEAD - path: guestbook/{{cluster}} - destination: - server: '{{url}}' - namespace: guestbook \ No newline at end of file diff --git a/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml b/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 9630ddada..000000000 --- a/argo-cel/applicationset-name-matches-project/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: applicationset-name-matches-project -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/argo-cel/applicationset-name-matches-project/.kyverno-test/kyverno-test.yaml b/argo-cel/applicationset-name-matches-project/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b41f71e22..000000000 --- a/argo-cel/applicationset-name-matches-project/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: applicationset-name-matches-project -policies: -- ../applicationset-name-matches-project.yaml -resources: -- ../.chainsaw-test/bad-appset.yaml -- ../.chainsaw-test/good-appset.yaml -results: -- policy: applicationset-name-matches-project - rule: match-name - kind: ApplicationSet - resources: - - bad-guestbook - result: fail -- policy: applicationset-name-matches-project - rule: match-name - kind: ApplicationSet - resources: - - guestbook - result: pass - diff --git a/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml deleted file mode 100644 index af30a936c..000000000 --- a/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: applicationset-name-matches-project - annotations: - policies.kyverno.io/title: Ensure ApplicationSet Name Matches Project in CEL expressions - policies.kyverno.io/category: Argo in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: ApplicationSet - policies.kyverno.io/description: >- - This policy ensures that the name of the ApplicationSet is the - same value provided in the project. -spec: - validationFailureAction: Audit - background: true - rules: - - name: match-name - match: - any: - - resources: - kinds: - - ApplicationSet - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.template.spec.project == object.metadata.name" - message: "The name must match the project." - diff --git a/argo-cel/applicationset-name-matches-project/artifacthub-pkg.yml b/argo-cel/applicationset-name-matches-project/artifacthub-pkg.yml deleted file mode 100644 index b248176e3..000000000 --- a/argo-cel/applicationset-name-matches-project/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: applicationset-name-matches-project-cel -version: 1.0.0 -displayName: Ensure ApplicationSet Name Matches Project in CEL expressions -description: >- - This policy ensures that the name of the ApplicationSet is the same value provided in the project. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml - ``` -keywords: - - kyverno - - Argo - - CEL Expressions -readme: | - This policy ensures that the name of the ApplicationSet is the same value provided in the project. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Argo in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ApplicationSet" -digest: bcb427d1e2b0623c4c5d0e30bbdec1bdac60a6adb6b2a7e7d2bc74221668ad25 -createdAt: "2024-05-01T16:44:11Z" - diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-both-wildcard.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-both-wildcard.yaml deleted file mode 100644 index 572430859..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-both-wildcard.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj03 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '' - kind: 'Pod' \ No newline at end of file diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-group-wildcard.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-group-wildcard.yaml deleted file mode 100644 index 27de0770b..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-group-wildcard.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj01 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '' - kind: '*' \ No newline at end of file diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-kind-wildcard.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-kind-wildcard.yaml deleted file mode 100644 index 096ddbb50..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-kind-wildcard.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj02 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '*' - kind: 'Secret' \ No newline at end of file diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-no-blacklist.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-no-blacklist.yaml deleted file mode 100644 index 9a682b846..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/bad-no-blacklist.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj04 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc \ No newline at end of file diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 454dffd03..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: appproject-clusterresourceblacklist -spec: - steps: - - name: step-01 - try: - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ../appproject-clusterresourceblacklist.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: appproject-clusterresourceblacklist - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: good.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-both-wildcard.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-group-wildcard.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-kind-wildcard.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-no-blacklist.yaml diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/crd-assert.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index e24f922f8..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: appprojects.argoproj.io -spec: {} -status: - acceptedNames: - kind: AppProject - listKind: AppProjectList - plural: appprojects - singular: appproject - storedVersions: - - v1alpha1 diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/good.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/good.yaml deleted file mode 100644 index 48a4f2181..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/good.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: goodappproj -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '*' - kind: '*' \ No newline at end of file diff --git a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml b/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 8c0d37ede..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: appproject-clusterresourceblacklist -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/argo-cel/appproject-clusterresourceblacklist/.kyverno-test/kyverno-test.yaml b/argo-cel/appproject-clusterresourceblacklist/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 37f844910..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: appproject-clusterresourceblacklist -policies: -- ../appproject-clusterresourceblacklist.yaml -resources: -- resources.yaml -results: -- kind: AppProject - policy: appproject-clusterresourceblacklist - resources: - - badappproj01 - - badappproj02 - - badappproj03 - - badappproj04 - result: fail - rule: has-wildcard-and-validate-clusterresourceblacklist -- kind: AppProject - policy: appproject-clusterresourceblacklist - resources: - - goodappproj01 - - goodappproj02 - result: pass - rule: has-wildcard-and-validate-clusterresourceblacklist - diff --git a/argo-cel/appproject-clusterresourceblacklist/.kyverno-test/resources.yaml b/argo-cel/appproject-clusterresourceblacklist/.kyverno-test/resources.yaml deleted file mode 100644 index 1ed3ebc86..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/.kyverno-test/resources.yaml +++ /dev/null @@ -1,78 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: goodappproj01 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '*' - kind: '*' ---- -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: goodappproj02 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '*' - kind: '*' ---- -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj01 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '' - kind: '*' ---- -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj02 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '*' - kind: 'Secret' ---- -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj03 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - clusterResourceBlacklist: - - group: '' - kind: 'Pod' ---- -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: badappproj04 -spec: - description: Test Project - destinations: - - namespace: default - server: https://kubernetes.default.svc - # clusterResourceBlacklist: - # - group: '' - # kind: 'Pod' diff --git a/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml deleted file mode 100644 index 18827a80e..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: appproject-clusterresourceblacklist - annotations: - policies.kyverno.io/title: Enforce AppProject with clusterResourceBlacklist in CEL expressions - policies.kyverno.io/category: Argo in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: AppProject - policies.kyverno.io/description: >- - An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted - group of cluster resources. This is often a good practice to ensure AppProjects do - not allow more access than needed. This policy is a combination of two rules which - enforce that all AppProjects specify clusterResourceBlacklist and that their group - and kind have wildcards as values. -spec: - validationFailureAction: Audit - background: true - rules: - - name: has-wildcard-and-validate-clusterresourceblacklist - match: - any: - - resources: - kinds: - - AppProject - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "has(object.spec.clusterResourceBlacklist)" - message: "AppProject must specify clusterResourceBlacklist." - - expression: "object.spec.clusterResourceBlacklist.all(element, element.group.contains('*') && element.kind.contains('*'))" - message: "Wildcards must be present in group and kind for clusterResourceBlacklist." - diff --git a/argo-cel/appproject-clusterresourceblacklist/artifacthub-pkg.yml b/argo-cel/appproject-clusterresourceblacklist/artifacthub-pkg.yml deleted file mode 100644 index b91d65bae..000000000 --- a/argo-cel/appproject-clusterresourceblacklist/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: appproject-clusterresourceblacklist-cel -version: 1.0.0 -displayName: Enforce AppProject with clusterResourceBlacklist in CEL expressions -description: >- - An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted group of cluster resources. This is often a good practice to ensure AppProjects do not allow more access than needed. This policy is a combination of two rules which enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml - ``` -keywords: - - kyverno - - Argo - - CEL Expressions -readme: | - An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted group of cluster resources. This is often a good practice to ensure AppProjects do not allow more access than needed. This policy is a combination of two rules which enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Argo in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "AppProject" -digest: 4c6e24e7f54e6473c6e56cd704c9de401b8c5703570e72d32d2c27bb38641b11 -createdAt: "2024-05-01T16:57:53Z" - diff --git a/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml index 6dc354021..4f0ddbf67 100755 --- a/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ b/argo/application-field-validation/.chainsaw-test/chainsaw-step-02-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: application-field-validation status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/argo/application-field-validation/.chainsaw-test/chainsaw-test.yaml b/argo/application-field-validation/.chainsaw-test/chainsaw-test.yaml index 06818efd1..90db2b6dc 100755 --- a/argo/application-field-validation/.chainsaw-test/chainsaw-test.yaml +++ b/argo/application-field-validation/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - - apply: - file: ../application-field-validation.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: application-field-validation - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../application-field-validation.yaml | kubectl create -f - - assert: file: chainsaw-step-02-assert-1.yaml - name: step-03 @@ -33,3 +25,10 @@ spec: - check: ($error != null): true file: bad-application.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: application-field-validation diff --git a/argo/application-field-validation/.kyverno-test/kyverno-test.yaml b/argo/application-field-validation/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index d7294f2fa..000000000 --- a/argo/application-field-validation/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: application-field-validation -policies: -- ../application-field-validation.yaml -resources: -- ../.chainsaw-test/bad-application.yaml -- ../.chainsaw-test/good-application.yaml -results: -- policy: application-field-validation - rule: source-path-chart - kind: Application - resources: - - badapp01 - result: fail -- policy: application-field-validation - rule: destination-server-name - kind: Application - resources: - - badapp02 - result: fail -- policy: application-field-validation - rule: source-path-chart - kind: Application - resources: - - goodapp01 - result: pass -- policy: application-field-validation - rule: destination-server-name - kind: Application - resources: - - goodapp01 - result: pass - diff --git a/argo/application-field-validation/application-field-validation.yaml b/argo/application-field-validation/application-field-validation.yaml index d71905b2b..0277f7737 100644 --- a/argo/application-field-validation/application-field-validation.yaml +++ b/argo/application-field-validation/application-field-validation.yaml @@ -15,7 +15,7 @@ metadata: Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: source-path-chart diff --git a/argo/application-field-validation/artifacthub-pkg.yml b/argo/application-field-validation/artifacthub-pkg.yml index e37eb3830..e97a0a7af 100644 --- a/argo/application-field-validation/artifacthub-pkg.yml +++ b/argo/application-field-validation/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Application" -digest: 9f6e56fb8532ee2f043a3a623b4dabde1c419ec4858a4b50261cc392069a4b6d +digest: d3fb7174f682520a3ab0f62c4430014fc3228b51b989d770f5546099f342f416 diff --git a/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml index cbef78483..0edbc929b 100755 --- a/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ b/argo/application-prevent-default-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: application-prevent-default-project status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/argo/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml b/argo/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml index c603383ff..d66d69e6d 100755 --- a/argo/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml +++ b/argo/application-prevent-default-project/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - - apply: - file: ../application-prevent-default-project.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: application-prevent-default-project - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../application-prevent-default-project.yaml | kubectl create -f - - assert: file: chainsaw-step-02-assert-1.yaml - name: step-03 @@ -33,3 +25,10 @@ spec: - check: ($error != null): true file: bad-application.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: application-prevent-default-project diff --git a/argo/application-prevent-default-project/.kyverno-test/kyverno-test.yaml b/argo/application-prevent-default-project/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index ee4fb0f4d..000000000 --- a/argo/application-prevent-default-project/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: application-prevent-default-project -policies: -- ../application-prevent-default-project.yaml -resources: -- ../.chainsaw-test/bad-application.yaml -- ../.chainsaw-test/good-application.yaml -results: -- policy: application-prevent-default-project - rule: default-project - kind: Application - resources: - - badapp - result: fail -- policy: application-prevent-default-project - rule: default-project - kind: Application - resources: - - goodapp - result: pass - diff --git a/argo/application-prevent-default-project/application-prevent-default-project.yaml b/argo/application-prevent-default-project/application-prevent-default-project.yaml index 766871740..6a6373cb1 100644 --- a/argo/application-prevent-default-project/application-prevent-default-project.yaml +++ b/argo/application-prevent-default-project/application-prevent-default-project.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- This policy prevents the use of the default project in an Application. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: default-project diff --git a/argo/application-prevent-default-project/artifacthub-pkg.yml b/argo/application-prevent-default-project/artifacthub-pkg.yml index aabcbb895..91010fb5b 100644 --- a/argo/application-prevent-default-project/artifacthub-pkg.yml +++ b/argo/application-prevent-default-project/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Application" -digest: 90789fabae88fe5b601404793bf67e28fe06f19d2ec33a351e6a4b1199de4b45 +digest: cd52206b53b7fd1fc1d73ed2b127d70cead0eecf19f43e8b9b4192bb0b418c25 diff --git a/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml index 24cddb73a..820069362 100755 --- a/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ b/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: application-prevent-updates-project status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml b/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml index 18cdf77dd..afe5b7b2e 100755 --- a/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml +++ b/argo/application-prevent-updates-project/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - - apply: - file: ../application-prevent-updates-project.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: application-prevent-updates-project - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../application-prevent-updates-project.yaml | kubectl create -f - - assert: file: chainsaw-step-02-assert-1.yaml - name: step-03 @@ -35,3 +27,10 @@ spec: - check: ($error != null): true file: application-bad-update.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: application-prevent-updates-project diff --git a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml index f4eac4f05..62bf3c036 100644 --- a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml +++ b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- This policy prevents updates to the project field after an Application is created. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: project-updates diff --git a/argo/application-prevent-updates-project/artifacthub-pkg.yml b/argo/application-prevent-updates-project/artifacthub-pkg.yml index 5f28adcea..9026c5c3f 100644 --- a/argo/application-prevent-updates-project/artifacthub-pkg.yml +++ b/argo/application-prevent-updates-project/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Application" -digest: 604c05775c80ab521492bb326139a635cab9acfae7d8eac06b8f22fc51b831b9 +digest: be410b40b2df93914851faffdefb7a02d036367ba89ffcd600ddc57f15efc21f diff --git a/argo/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml b/argo/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml index 5814ffcce..269f150e1 100644 --- a/argo/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml +++ b/argo/applicationset-name-matches-project/.chainsaw-test/bad-appset.yaml @@ -1,7 +1,7 @@ apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: - name: bad-guestbook + name: guestbook spec: generators: - list: diff --git a/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml index 9630ddada..5e891f2a0 100755 --- a/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ b/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-step-02-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: applicationset-name-matches-project status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml b/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml index 1b67b1a47..c5e531940 100755 --- a/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml +++ b/argo/applicationset-name-matches-project/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - - apply: - file: ../applicationset-name-matches-project.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: applicationset-name-matches-project - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../applicationset-name-matches-project.yaml | kubectl create -f - - assert: file: chainsaw-step-02-assert-1.yaml - name: step-03 @@ -33,3 +25,10 @@ spec: - check: ($error != null): true file: bad-appset.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: applicationset-name-matches-project diff --git a/argo/applicationset-name-matches-project/.kyverno-test/kyverno-test.yaml b/argo/applicationset-name-matches-project/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b41f71e22..000000000 --- a/argo/applicationset-name-matches-project/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: applicationset-name-matches-project -policies: -- ../applicationset-name-matches-project.yaml -resources: -- ../.chainsaw-test/bad-appset.yaml -- ../.chainsaw-test/good-appset.yaml -results: -- policy: applicationset-name-matches-project - rule: match-name - kind: ApplicationSet - resources: - - bad-guestbook - result: fail -- policy: applicationset-name-matches-project - rule: match-name - kind: ApplicationSet - resources: - - guestbook - result: pass - diff --git a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml index 38529a89e..d2ff71bca 100644 --- a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml +++ b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml @@ -14,7 +14,7 @@ metadata: This policy ensures that the name of the ApplicationSet is the same value provided in the project. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: match-name diff --git a/argo/applicationset-name-matches-project/artifacthub-pkg.yml b/argo/applicationset-name-matches-project/artifacthub-pkg.yml index 6922ea295..9e2e7fbc8 100644 --- a/argo/applicationset-name-matches-project/artifacthub-pkg.yml +++ b/argo/applicationset-name-matches-project/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "ApplicationSet" -digest: 2b60af2ba640e7cc5edf7fada97d92c3a4fd72354e25f613a83c0287cc43f519 +digest: 7eabf25e8af8b90e044164d4ff2acb12503332f2c40360edebd4e1a908c773c3 diff --git a/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml index 8c0d37ede..745e7b98b 100755 --- a/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ b/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-step-02-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: appproject-clusterresourceblacklist status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml b/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml index 98c2ba814..2748f7e2b 100755 --- a/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml +++ b/argo/appproject-clusterresourceblacklist/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - - apply: - file: ../appproject-clusterresourceblacklist.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: appproject-clusterresourceblacklist - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../appproject-clusterresourceblacklist.yaml | kubectl create -f - - assert: file: chainsaw-step-02-assert-1.yaml - name: step-03 @@ -48,3 +40,10 @@ spec: - check: ($error != null): true file: bad-no-blacklist.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: appproject-clusterresourceblacklist diff --git a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml index 52dc4d289..c5a0aed03 100644 --- a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml +++ b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml @@ -17,7 +17,7 @@ metadata: enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: has-wildcard diff --git a/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml b/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml index 0687ba404..cca1ca18a 100644 --- a/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml +++ b/argo/appproject-clusterresourceblacklist/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "AppProject" -digest: 7468b37dca594f3dad0d2b0909a89bdab9eafa1aaf1d680bf5faf5f57981ccba +digest: d4842e3c136e9e581cf090d5843cf0eb54cfb1e9638f80e85f7dfbfda7e01b97 diff --git a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml index 1e1a78519..6efbc8539 100755 --- a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml +++ b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,8 +11,6 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml deleted file mode 100644 index 18dae3424..000000000 --- a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:view - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:manage - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - create - - update - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:clusters - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - 'provisioning.cattle.io' - resources: - - clusters - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml index 24b9d4502..e1c518a70 100644 --- a/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml +++ b/argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: argo-cluster-generation-from-rancher-capi status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml b/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml index bf16f6401..6c4b889dc 100644 --- a/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml +++ b/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml @@ -19,7 +19,7 @@ metadata: "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret". spec: - generateExisting: true + generateExistingOnPolicyUpdate: true rules: - name: source-rancher-non-local-cluster-and-capi-secret match: diff --git a/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml b/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml index 66afffd14..ab582087d 100644 --- a/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml +++ b/argo/argo-cluster-generation-from-rancher-capi/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Argo" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Secret" -digest: 955247857bea3c8e70733e8dc214406319f08ded53700ba42a8bc59dfcf94aa5 +digest: ddc3b0655fa1302142238ec869466e5f2ce2547f2f683effc7e5b0a813803b54 diff --git a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 6b1de9110..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-encryption-aws-loadbalancers -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-encryption-aws-loadbalancers.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-encryption-aws-loadbalancers - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: service-fail.yaml - - apply: - file: service-pass.yaml - - apply: - file: service-skip.yaml diff --git a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 169f02e73..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-encryption-aws-loadbalancers -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-fail.yaml b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-fail.yaml deleted file mode 100644 index 59f6034af..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-fail.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx-service -spec: - selector: - app: nginx - ports: - - port: 80 - targetPort: 8080 - type: LoadBalancer \ No newline at end of file diff --git a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-pass.yaml b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-pass.yaml deleted file mode 100644 index 25aa97d5e..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-pass.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: example-service - annotations: - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "SSL-CERT-HERE" -spec: - selector: - app: example - ports: - - port: 80 - targetPort: 8080 - type: LoadBalancer \ No newline at end of file diff --git a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-skip.yaml b/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-skip.yaml deleted file mode 100644 index 56019f7cb..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-skip.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: nginx - name: nginx -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 80 - selector: - run: nginx - type: ClusterIP \ No newline at end of file diff --git a/aws-cel/require-encryption-aws-loadbalancers/.kyverno-test/kyverno-test.yaml b/aws-cel/require-encryption-aws-loadbalancers/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c0813f244..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-encryption-aws-loadbalancers -policies: -- ../require-encryption-aws-loadbalancers.yaml -resources: -- ../.chainsaw-test/service-fail.yaml -- ../.chainsaw-test/service-pass.yaml -- ../.chainsaw-test/service-skip.yaml -results: -- policy: require-encryption-aws-loadbalancers - rule: aws-loadbalancer-has-ssl-cert - kind: Service - resources: - - nginx-service - result: fail -- policy: require-encryption-aws-loadbalancers - rule: aws-loadbalancer-has-ssl-cert - kind: Service - resources: - - example-service - result: pass -- policy: require-encryption-aws-loadbalancers - rule: aws-loadbalancer-has-ssl-cert - kind: Service - resources: - - nginx - result: skip - diff --git a/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml b/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml deleted file mode 100644 index 234dd6bf7..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-encryption-aws-loadbalancers-cel -version: 1.0.0 -displayName: Require Encryption with AWS LoadBalancers in CEL expressions -description: >- - Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml - ``` -keywords: - - kyverno - - AWS - - EKS Best Practices - - CEL Expressions -readme: | - Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "AWS, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Service" -digest: e2320be39a69521f5420e33890a87b1195a3658022e1e23909387e9dc0937c2e -createdAt: "2024-05-11T16:01:13Z" - diff --git a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml deleted file mode 100644 index 20c71ab38..000000000 --- a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-encryption-aws-loadbalancers - annotations: - policies.kyverno.io/title: Require Encryption with AWS LoadBalancers in CEL expressions - policies.kyverno.io/category: AWS, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Service - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Services of type LoadBalancer when deployed inside AWS have support for - transport encryption if it is enabled via an annotation. This policy requires - that Services of type LoadBalancer contain the annotation - service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. -spec: - validationFailureAction: Audit - background: true - rules: - - name: aws-loadbalancer-has-ssl-cert - match: - any: - - resources: - kinds: - - Service - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "type-should-be-load-balancer" - expression: "object.spec.type == 'LoadBalancer'" - validate: - cel: - expressions: - - expression: >- - object.metadata.?annotations[?'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'].orValue('') != '' - message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert." - diff --git a/aws/require-aws-node-irsa/artifacthub-pkg.yml b/aws/require-aws-node-irsa/artifacthub-pkg.yml index 142cf90fa..2c9c7169f 100644 --- a/aws/require-aws-node-irsa/artifacthub-pkg.yml +++ b/aws/require-aws-node-irsa/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "AWS, EKS Best Practices" kyverno/kubernetesVersion: "1.24" kyverno/subject: "DaemonSet" -digest: a39c0908e2bdff2fa166dd9491d604324f06dbd8872070d9a59effc6bbdec898 +digest: 87f310a81a0f34889ac3664f0a5ff0aa5553cbb2b3223bc0ef6dae0d10bf0e92 diff --git a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml index 48670fa02..4c42d9998 100644 --- a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml +++ b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml @@ -19,7 +19,7 @@ metadata: the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-node-daemonset-irsa diff --git a/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 169f02e73..7806e1591 100755 --- a/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: require-encryption-aws-loadbalancers status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml b/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml index 91966d7b3..2ff19e055 100755 --- a/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml +++ b/aws/require-encryption-aws-loadbalancers/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-encryption-aws-loadbalancers.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-encryption-aws-loadbalancers - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-encryption-aws-loadbalancers.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: file: service-pass.yaml - apply: file: service-skip.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-encryption-aws-loadbalancers diff --git a/aws/require-encryption-aws-loadbalancers/.kyverno-test/kyverno-test.yaml b/aws/require-encryption-aws-loadbalancers/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c0813f244..000000000 --- a/aws/require-encryption-aws-loadbalancers/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-encryption-aws-loadbalancers -policies: -- ../require-encryption-aws-loadbalancers.yaml -resources: -- ../.chainsaw-test/service-fail.yaml -- ../.chainsaw-test/service-pass.yaml -- ../.chainsaw-test/service-skip.yaml -results: -- policy: require-encryption-aws-loadbalancers - rule: aws-loadbalancer-has-ssl-cert - kind: Service - resources: - - nginx-service - result: fail -- policy: require-encryption-aws-loadbalancers - rule: aws-loadbalancer-has-ssl-cert - kind: Service - resources: - - example-service - result: pass -- policy: require-encryption-aws-loadbalancers - rule: aws-loadbalancer-has-ssl-cert - kind: Service - resources: - - nginx - result: skip - diff --git a/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml b/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml index 0e0cc2d37..0978b271a 100644 --- a/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml +++ b/aws/require-encryption-aws-loadbalancers/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "AWS, EKS Best Practices" kyverno/kubernetesVersion: "1.23-1.24" kyverno/subject: "Service" -digest: 2d174428edf213e9f4f2368e5fbe430ff07ad2cf11628e2401021f1a6994d9cc +digest: 6e54a5bb0c445d0f619c75369e8e47a3d0ccebef9ebc44bc7567f3b850c40d27 diff --git a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml index a2b0c4558..cdc79ee74 100644 --- a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml +++ b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml @@ -16,7 +16,7 @@ metadata: that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: aws-loadbalancer-has-ssl-cert diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 7b7f6b6b4..000000000 --- a/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-deprecated-apis -policies: -- ../check-deprecated-apis.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: check-deprecated-apis - resources: - - bad-cronjob - result: fail - rule: validate-v1-25-removals -- kind: CronJob - policy: check-deprecated-apis - resources: - - good-cronjob - result: skip - rule: validate-v1-25-removals -- kind: FlowSchema - policy: check-deprecated-apis - resources: - - bad-flowschema - result: fail - rule: validate-v1-29-removals diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml deleted file mode 100644 index c62c18ee1..000000000 --- a/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: bad-cronjob -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox:1.28 - imagePullPolicy: IfNotPresent - command: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure - ---- - -apiVersion: batch/v1 -kind: CronJob -metadata: - name: good-cronjob -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox:1.28 - imagePullPolicy: IfNotPresent - command: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure - ---- -apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 -kind: FlowSchema -metadata: - name: bad-flowschema -spec: - matchingPrecedence: 1000 - priorityLevelConfiguration: - name: exempt - \ No newline at end of file diff --git a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml deleted file mode 100644 index 1c20b08fa..000000000 --- a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: check-deprecated-apis-cel -version: 1.0.0 -displayName: Check deprecated APIs in CEL expressions -description: >- - Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Kubernetes APIs" -digest: da368de7982e748983a14198e8f8ef46d455023e8938031444f832919fabba6e -createdAt: "2024-05-31T09:44:23Z" diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml deleted file mode 100644 index f01488b1e..000000000 --- a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml +++ /dev/null @@ -1,95 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-deprecated-apis - annotations: - policies.kyverno.io/title: Check deprecated APIs in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/subject: Kubernetes APIs - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Kubernetes APIs are sometimes deprecated and removed after a few releases. - As a best practice, older API versions should be replaced with newer versions. - This policy validates for APIs that are deprecated or scheduled for removal. - Note that checking for some of these resources may require modifying the Kyverno - ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 - so therefore the validate-v1-25-removals rule may not completely work on 1.25+. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-v1-25-removals - match: - any: - - resources: - # NOTE: PodSecurityPolicy is completely removed in 1.25. - kinds: - - batch/*/CronJob - - discovery.k8s.io/*/EndpointSlice - - events.k8s.io/*/Event - - policy/*/PodDisruptionBudget - - policy/*/PodSecurityPolicy - - node.k8s.io/*/RuntimeClass - celPreconditions: - - name: "allowed-api-versions" - expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']" - validate: - cel: - expressions: - - expression: "false" - messageExpression: >- - object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - - name: validate-v1-26-removals - match: - any: - - resources: - kinds: - - flowcontrol.apiserver.k8s.io/*/FlowSchema - - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration - - autoscaling/*/HorizontalPodAutoscaler - celPreconditions: - - name: "allowed-api-versions" - expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']" - validate: - cel: - expressions: - - expression: "false" - messageExpression: >- - object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - - name: validate-v1-27-removals - match: - any: - - resources: - kinds: - - storage.k8s.io/*/CSIStorageCapacity - celPreconditions: - - name: "allowed-api-versions" - expression: "object.apiVersion in ['storage.k8s.io/v1beta1']" - validate: - cel: - expressions: - - expression: "false" - messageExpression: >- - object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - - name: validate-v1-29-removals - match: - any: - - resources: - kinds: - - flowcontrol.apiserver.k8s.io/*/FlowSchema - - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration - celPreconditions: - - name: "object.apiVersion" - expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']" - validate: - cel: - expressions: - - expression: "false" - messageExpression: >- - object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 869ffb436..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-cri-sock-mount -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-cri-sock-mount.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-container-sock-mounts - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-containerd-sock.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-docker-sock.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-crio-sock.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-cri-dockerd-sock.yaml - - apply: - file: pod-emptydir-vol.yaml - - apply: - file: pod-no-volumes.yaml - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/good-pod.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/good-pod.yaml deleted file mode 100644 index 997d06743..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: data - hostPath: - path: /data - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-containerd-sock.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-containerd-sock.yaml deleted file mode 100644 index 59a9b9660..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-containerd-sock.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-containerd-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/containerd/containerd.sock - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-cri-dockerd-sock.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-cri-dockerd-sock.yaml deleted file mode 100644 index c5a6c87bd..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-cri-dockerd-sock.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-cri-dockerd-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/cri-dockerd.sock - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-crio-sock.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-crio-sock.yaml deleted file mode 100644 index 78325a06b..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-crio-sock.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-crio-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/crio/crio.sock - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-docker-sock.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-docker-sock.yaml deleted file mode 100644 index 072596f62..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-docker-sock.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-docker-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/docker.sock - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml deleted file mode 100644 index 533ddd8d5..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-emptydir-volume -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - sleep - - "3600" - volumes: - - name: mydir - emptyDir: {} - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml deleted file mode 100644 index 4096734b0..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-no-volumes -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - sleep - - "3600" - diff --git a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 0e6bde6b2..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-container-sock-mounts -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/disallow-cri-sock-mount/.kyverno-test/kyverno-test.yaml b/best-practices-cel/disallow-cri-sock-mount/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f95fe7634..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow-cri-sock-mount -policies: -- ../disallow-cri-sock-mount.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: disallow-container-sock-mounts - resources: - - pod-with-docker-sock-mount - result: fail - rule: validate-socket-mounts -- kind: Pod - policy: disallow-container-sock-mounts - resources: - - goodpod01 - result: pass - rule: validate-socket-mounts - diff --git a/best-practices-cel/disallow-cri-sock-mount/.kyverno-test/resource.yaml b/best-practices-cel/disallow-cri-sock-mount/.kyverno-test/resource.yaml deleted file mode 100644 index 788e14cf7..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/.kyverno-test/resource.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-docker-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/docker.sock ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: data - hostPath: - path: /data - diff --git a/best-practices-cel/disallow-cri-sock-mount/artifacthub-pkg.yml b/best-practices-cel/disallow-cri-sock-mount/artifacthub-pkg.yml deleted file mode 100644 index b27921347..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: disallow-cri-sock-mount-cel -version: 1.0.0 -displayName: Disallow CRI socket mounts in CEL expressions -description: >- - Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml - ``` -keywords: - - kyverno - - Best Practices - - EKS Best Practices - - CEL Expressions -readme: | - Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 535db8906befe485750d0cc9094aca1a064e2738d9f1d60bd1dd72da9d7b6ca2 -createdAt: "2024-03-14T15:59:52Z" - diff --git a/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml deleted file mode 100644 index b243dd332..000000000 --- a/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-container-sock-mounts - annotations: - policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions - policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Container daemon socket bind mounts allows access to the container engine on the - node. This access can be used for privilege escalation and to manage containers - outside of Kubernetes, and hence should not be allowed. This policy validates that - the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition - to or replacement of this policy, preventing users from mounting the parent directories - (/var/run and /var) may be necessary to completely prevent socket bind mounts. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-socket-mounts - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: hasVolumes - expression: "!has(object.spec.volumes)" - - name: volumes - expression: "object.spec.volumes" - - name: volumesWithHostPath - expression: "variables.volumes.filter(volume, has(volume.hostPath))" - expressions: - - expression: >- - variables.hasVolumes || - variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock')) - message: "Use of the Docker Unix socket is not allowed." - - - expression: >- - variables.hasVolumes || - variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock')) - message: "Use of the Containerd Unix socket is not allowed." - - - expression: >- - variables.hasVolumes || - variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock')) - message: "Use of the CRI-O Unix socket is not allowed." - - - expression: >- - variables.hasVolumes || - variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock')) - message: "Use of the Docker CRI socket is not allowed." - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 3201f549b..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-default-namespace -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-default-namespace.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-default-namespace - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - name: step-03 - try: - - apply: - file: good-resources.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-default.yaml - - apply: - expect: - - check: - ($error != null): true - file: ds-default.yaml - - apply: - expect: - - check: - ($error != null): true - file: job-default.yaml - - apply: - expect: - - check: - ($error != null): true - file: ss-default.yaml - - apply: - expect: - - check: - ($error != null): true - file: deploy-default.yaml - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml deleted file mode 100644 index 06d961397..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/deploy-default.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: bad-busybox - namespace: default -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml deleted file mode 100644 index 6dc05dc9f..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ds-default.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: bad-daemonset - namespace: default -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml deleted file mode 100644 index 3ad7b9b85..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/good-resources.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: not-default-ns -spec: - containers: - - name: busybox - image: "busybox:v1.35" - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: busybox - namespace: not-default-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: good-daemonset - namespace: not-default-ns -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: good-job - namespace: not-default-ns -spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" - restartPolicy: Never ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-statefulset - namespace: not-default-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: "busyservice" - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml deleted file mode 100644 index fca60baab..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/job-default.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: bad-job - namespace: default -spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" - restartPolicy: Never - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ns.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ns.yaml deleted file mode 100755 index 31d4f3f6d..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: not-default-ns - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/pod-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/pod-default.yaml deleted file mode 100644 index f961230d8..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/pod-default.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: default -spec: - containers: - - name: busybox - image: "busybox:v1.35" - command: - - "sleep" - - "3000" - diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 077564486..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-default-namespace -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml b/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml deleted file mode 100644 index a055a4dec..000000000 --- a/best-practices-cel/disallow-default-namespace/.chainsaw-test/ss-default.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-statefulset - namespace: default -spec: - selector: - matchLabels: - app: busybox - serviceName: "busyservice" - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: - - "sleep" - - "3000" - diff --git a/best-practices-cel/disallow-default-namespace/.kyverno-test/kyverno-test.yaml b/best-practices-cel/disallow-default-namespace/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f4eb1a74a..000000000 --- a/best-practices-cel/disallow-default-namespace/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow-default-namespace -policies: -- ../disallow-default-namespace.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: disallow-default-namespace - resources: - - badpod01 - result: fail - rule: validate-namespace -- kind: Pod - policy: disallow-default-namespace - resources: - - goodpod01 - result: pass - rule: validate-namespace -- kind: Deployment - policy: disallow-default-namespace - resources: - - baddeployment01 - result: fail - rule: validate-podcontroller-namespace -- kind: Deployment - policy: disallow-default-namespace - resources: - - gooddeployment01 - result: pass - rule: validate-podcontroller-namespace - diff --git a/best-practices-cel/disallow-default-namespace/.kyverno-test/resource.yaml b/best-practices-cel/disallow-default-namespace/.kyverno-test/resource.yaml deleted file mode 100644 index 6a9b6d05f..000000000 --- a/best-practices-cel/disallow-default-namespace/.kyverno-test/resource.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: default - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: foo - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:1.28 - name: busybox - command: ["sleep", "9999"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 - labels: - app: busybox - namespace: foo -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:1.28 - name: busybox - command: ["sleep", "9999"] - diff --git a/best-practices-cel/disallow-default-namespace/artifacthub-pkg.yml b/best-practices-cel/disallow-default-namespace/artifacthub-pkg.yml deleted file mode 100644 index 60eefd39c..000000000 --- a/best-practices-cel/disallow-default-namespace/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-default-namespace-cel -version: 1.0.0 -displayName: Disallow Default Namespace in CEL expressions -description: >- - Kubernetes Namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with Namespaces. Namespaces should be required and the default (empty) Namespace should not be used. This policy validates that Pods specify a Namespace name other than `default`. Rule auto-generation is disabled here due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml - ``` -keywords: - - kyverno - - Multi-Tenancy - - CEL Expressions -readme: | - Kubernetes Namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with Namespaces. Namespaces should be required and the default (empty) Namespace should not be used. This policy validates that Pods specify a Namespace name other than `default`. Rule auto-generation is disabled here due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Multi-Tenancy in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: f2f0202e5f53ea5c446960c2c2467824b3ebb737150b4e9e4a83e700f89c3195 -createdAt: "2024-03-08T06:15:05Z" - diff --git a/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml b/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml deleted file mode 100644 index ea58613dc..000000000 --- a/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-default-namespace - annotations: - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/title: Disallow Default Namespace in CEL expressions - policies.kyverno.io/minversion: 1.11.0 - policies.kyverno.io/category: Multi-Tenancy in CEL - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Kubernetes Namespaces are an optional feature that provide a way to segment and - isolate cluster resources across multiple applications and users. As a best - practice, workloads should be isolated with Namespaces. Namespaces should be required - and the default (empty) Namespace should not be used. This policy validates that Pods - specify a Namespace name other than `default`. Rule auto-generation is disabled here - due to Pod controllers need to specify the `namespace` field under the top-level `metadata` - object and not at the Pod template level. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-namespace - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "namespaceObject.metadata.name != 'default'" - message: "Using 'default' namespace is not allowed." - - name: validate-podcontroller-namespace - match: - any: - - resources: - kinds: - - DaemonSet - - Deployment - - Job - - StatefulSet - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "namespaceObject.metadata.name != 'default'" - message: "Using 'default' namespace is not allowed for pod controllers." - diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 6dfc3e124..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-empty-ingress-host -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-empty-ingress-host.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-empty-ingress-host - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-ingress.yaml - - apply: - expect: - - check: - ($error != null): true - file: no-host-ingress.yaml - - apply: - expect: - - check: - ($error != null): true - file: no-host-fail-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: no-host-success-first.yaml - diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/good-ingress.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/good-ingress.yaml deleted file mode 100644 index 6eead42ed..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/good-ingress.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-wildcard-host -spec: - rules: - - host: "foo.bar.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "*.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 - diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-fail-first.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-fail-first.yaml deleted file mode 100644 index 9e130859b..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-fail-first.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-host -spec: - rules: - - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "bar.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 - diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-ingress.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-ingress.yaml deleted file mode 100644 index 9da802d65..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minimal-ingress - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-success-first.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-success-first.yaml deleted file mode 100644 index 3ceca1142..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-success-first.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-host -spec: - rules: - - host: "bar.foo.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 - diff --git a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 957e645c5..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-empty-ingress-host -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/disallow-empty-ingress-host/.kyverno-test/kyverno-test.yaml b/best-practices-cel/disallow-empty-ingress-host/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 99d221a80..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow-empty-ingress-host -policies: -- ../disallow-empty-ingress-host.yaml -resources: -- resource.yaml -results: -- kind: Ingress - policy: disallow-empty-ingress-host - resources: - - minimal-ingress - result: fail - rule: disallow-empty-ingress-host -- kind: Ingress - policy: disallow-empty-ingress-host - resources: - - ingress-wildcard-host - result: pass - rule: disallow-empty-ingress-host - diff --git a/best-practices-cel/disallow-empty-ingress-host/.kyverno-test/resource.yaml b/best-practices-cel/disallow-empty-ingress-host/.kyverno-test/resource.yaml deleted file mode 100644 index 1c48af4ef..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/.kyverno-test/resource.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-wildcard-host -spec: - rules: - - host: "foo.bar.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "*.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minimal-ingress - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml b/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml deleted file mode 100644 index dd36b796d..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-empty-ingress-host-cel -version: 1.0.0 -displayName: Disallow empty Ingress host in CEL expressions -description: >- - An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: e07447adca26bd41cf44f7cced9f50fef4d6293d142a5092d0a95f4473747043 -createdAt: "2024-03-09T14:19:51Z" - diff --git a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml deleted file mode 100644 index 62df5473d..000000000 --- a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-empty-ingress-host - annotations: - policies.kyverno.io/title: Disallow empty Ingress host in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - An ingress resource needs to define an actual host name - in order to be valid. This policy ensures that there is a - hostname for each rule defined. -spec: - validationFailureAction: Audit - background: false - rules: - - name: disallow-empty-ingress-host - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?rules.orValue([]).all(rule, has(rule.host) && has(rule.http)) - message: "The Ingress host name must be defined, not empty." - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml deleted file mode 100644 index d8be1168b..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment-ht - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox - name: busybox - - image: docker.io/tiller:latest - name: helm-tiller - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml deleted file mode 100644 index b52f86301..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-ht -spec: - containers: - - name: helm-tiller - image: docker.io/tiller:latest - - name: somebox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml deleted file mode 100644 index 1d5374d5c..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-ht -spec: - containers: - - name: somebox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: helm-tiller - image: docker.io/tiller:latest - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml deleted file mode 100644 index 789e0bcaa..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-ht -spec: - containers: - - name: helm-tiller - image: docker.io/tiller:latest - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 7ca0071c4..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-helm-tiller -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-helm-tiller.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-helm-tiller - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - file: good-deploy.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-deploy.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-fail-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-success-first.yaml - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml deleted file mode 100644 index a06416819..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment-ht - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: ["sleep", "3600"] - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml deleted file mode 100644 index d05317000..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod-ht -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: nothelmbox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index e97801af1..000000000 --- a/best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-helm-tiller -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/disallow-helm-tiller/.kyverno-test/kyverno-test.yaml b/best-practices-cel/disallow-helm-tiller/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b5bbcbdb1..000000000 --- a/best-practices-cel/disallow-helm-tiller/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow-helm-tiller -policies: -- ../disallow-helm-tiller.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: disallow-helm-tiller - resources: - - baddeployment01 - result: fail - rule: validate-helm-tiller -- kind: Pod - policy: disallow-helm-tiller - resources: - - badpod01 - - badpod02 - result: fail - rule: validate-helm-tiller -- kind: Deployment - policy: disallow-helm-tiller - resources: - - gooddeployment01 - result: pass - rule: validate-helm-tiller -- kind: Pod - policy: disallow-helm-tiller - resources: - - goodpod01 - - goodpod02 - result: pass - rule: validate-helm-tiller - diff --git a/best-practices-cel/disallow-helm-tiller/.kyverno-test/resource.yaml b/best-practices-cel/disallow-helm-tiller/.kyverno-test/resource.yaml deleted file mode 100644 index 6c2a16502..000000000 --- a/best-practices-cel/disallow-helm-tiller/.kyverno-test/resource.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: helm-tiller - image: docker.io/tiller:latest ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: busybox:1.28 - - name: helm-tiller - image: docker.io/tiller:latest ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 - labels: - app: busybox - namespace: foo -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:1.28 - name: busybox - command: ["sleep", "9999"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 - labels: - app: busybox - namespace: foo -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: docker.io/tiller:latest - name: helm-tiller - diff --git a/best-practices-cel/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices-cel/disallow-helm-tiller/artifacthub-pkg.yml deleted file mode 100644 index ad20504c1..000000000 --- a/best-practices-cel/disallow-helm-tiller/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-helm-tiller-cel -version: 1.0.0 -displayName: Disallow Helm Tiller in CEL expressions -description: >- - Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 3ec71460444eda338adc7c96f76d9369275f9b494f9fca8248e240d4424937dc -createdAt: "2024-03-08T06:30:37Z" - diff --git a/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml deleted file mode 100644 index a9f5c8338..000000000 --- a/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-helm-tiller - annotations: - policies.kyverno.io/title: Disallow Helm Tiller in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared - resource accessible to any authenticated user. Tiller can lead to privilege escalation as - restricted users can impact other users. It is recommend to use Helm v3+ which does not contain - Tiller for these reasons. This policy validates that there is not an image - containing the name `tiller`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-helm-tiller - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.containers.all(container, !container.image.contains('tiller'))" - message: "Helm Tiller is not allowed" - diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml deleted file mode 100644 index 6c85b62e3..000000000 --- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-latest -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:latest - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 - diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml deleted file mode 100644 index 906af4a7f..000000000 --- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-latest -spec: - containers: - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 - - name: busybox - image: ghcr.io/kyverno/test-busybox:latest - diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml deleted file mode 100644 index a4410ed4a..000000000 --- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 - - name: busybox - image: ghcr.io/kyverno/test-busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - - name: nginx - image: ghcr.io/kyverno/test-nginx:latest - diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index d87f9311f..000000000 --- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-latest-tag -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-latest-tag.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-latest-tag - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-latest-fail-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-latest-success-first.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-no-tag.yaml - diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml deleted file mode 100644 index 1863965ef..000000000 --- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod-ht -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml b/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 19f475312..000000000 --- a/best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-latest-tag -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/disallow-latest-tag/.kyverno-test/kyverno-test.yaml b/best-practices-cel/disallow-latest-tag/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b7a1f2a16..000000000 --- a/best-practices-cel/disallow-latest-tag/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow-latest-tag -policies: -- ../disallow-latest-tag.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: disallow-latest-tag - resources: - - baddeployment01 - result: fail - rule: require-and-validate-image-tag -- kind: Pod - policy: disallow-latest-tag - resources: - - badpod01 - - badpod02 - result: fail - rule: require-and-validate-image-tag -- kind: Deployment - policy: disallow-latest-tag - resources: - - gooddeployment01 - result: pass - rule: require-and-validate-image-tag -- kind: Pod - policy: disallow-latest-tag - resources: - - myapp-pod - result: pass - rule: require-and-validate-image-tag -- kind: Deployment - policy: disallow-latest-tag - resources: - - vit-baddeployment01 - result: fail - rule: require-and-validate-image-tag -- kind: Pod - policy: disallow-latest-tag - resources: - - vit-badpod01 - - vit-badpod02 - result: fail - rule: require-and-validate-image-tag - diff --git a/best-practices-cel/disallow-latest-tag/.kyverno-test/resource.yaml b/best-practices-cel/disallow-latest-tag/.kyverno-test/resource.yaml deleted file mode 100644 index f4f709070..000000000 --- a/best-practices-cel/disallow-latest-tag/.kyverno-test/resource.yaml +++ /dev/null @@ -1,122 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.28 - - name: nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: vit-badpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx:latest ---- -apiVersion: v1 -kind: Pod -metadata: - name: vit-badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.28 - - name: nginx - image: nginx:latest ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:1.28 - name: busybox - command: ["sleep", "9999"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox - name: busybox - command: ["sleep", "9999"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vit-baddeployment01 - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:latest - name: busybox - command: ["sleep", "9999"] - diff --git a/best-practices-cel/disallow-latest-tag/artifacthub-pkg.yml b/best-practices-cel/disallow-latest-tag/artifacthub-pkg.yml deleted file mode 100644 index 6275bb017..000000000 --- a/best-practices-cel/disallow-latest-tag/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-latest-tag-cel -version: 1.0.0 -displayName: Disallow Latest Tag in CEL expressions -description: >- - The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 46eddb82b6df69bf68894505115899ff2ed833cbe22a05b3c933abf422017110 -createdAt: "2024-03-07T20:17:11Z" - diff --git a/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml deleted file mode 100644 index 4c467efb7..000000000 --- a/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-latest-tag - annotations: - policies.kyverno.io/title: Disallow Latest Tag in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - The ':latest' tag is mutable and can lead to unexpected errors if the - image changes. A best practice is to use an immutable tag that maps to - a specific version of an application Pod. This policy validates that the image - specifies a tag and that it is not called `latest`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-and-validate-image-tag - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.containers.all(container, container.image.contains(':'))" - message: "An image tag is required." - - expression: "object.spec.containers.all(container, !container.image.endsWith(':latest'))" - message: "Using a mutable image tag e.g. 'latest' is not allowed." - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml deleted file mode 100644 index 8ce6c3584..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-containers.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml deleted file mode 100644 index acd742fde..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-corner.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml deleted file mode 100644 index cdb6ec865..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index 6b5811341..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,154 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index fef0c209b..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-drop-all -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../require-drop-all.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: drop-all-capabilities - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-containers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-initcontainers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-corner.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml deleted file mode 100644 index 52d96bbea..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 9224abaf0..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - diff --git a/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index bfb8f0860..000000000 --- a/best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: drop-all-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/require-drop-all/.kyverno-test/kyverno-test.yaml b/best-practices-cel/require-drop-all/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 448b3f723..000000000 --- a/best-practices-cel/require-drop-all/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-drop-all -policies: -- ../require-drop-all.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: drop-all-capabilities - resources: - - add-capabilities-bad - result: fail - rule: require-drop-all -- kind: Pod - policy: drop-all-capabilities - resources: - - add-capabilities - result: pass - rule: require-drop-all - diff --git a/best-practices-cel/require-drop-all/.kyverno-test/resource.yaml b/best-practices-cel/require-drop-all/.kyverno-test/resource.yaml deleted file mode 100644 index c687d0672..000000000 --- a/best-practices-cel/require-drop-all/.kyverno-test/resource.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities -spec: - initContainers: - - name: init - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: add-capabilities - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: gcr.io/google-samples/node-hello:1.0 - containers: - - name: add-capabilities - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - diff --git a/best-practices-cel/require-drop-all/artifacthub-pkg.yml b/best-practices-cel/require-drop-all/artifacthub-pkg.yml deleted file mode 100644 index 22f58a86a..000000000 --- a/best-practices-cel/require-drop-all/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-drop-all-cel -version: 1.0.0 -displayName: Drop All Capabilities in CEL expressions -description: >- - Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/require-drop-all/require-drop-all.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: e30e0e6e98ad92017d641eddc650335cb688873b2c14c666fda925f3e809ae40 -createdAt: "2024-03-10T05:05:42Z" - diff --git a/best-practices-cel/require-drop-all/require-drop-all.yaml b/best-practices-cel/require-drop-all/require-drop-all.yaml deleted file mode 100644 index c46cf43e0..000000000 --- a/best-practices-cel/require-drop-all/require-drop-all.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: drop-all-capabilities - annotations: - policies.kyverno.io/title: Drop All Capabilities in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/severity: medium - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/minversion: 1.11.0 - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Capabilities permit privileged actions without giving full root access. All - capabilities should be dropped from a Pod, with only those required added back. - This policy ensures that all containers explicitly specify the `drop: ["ALL"]` - ability. Note that this policy also illustrates how to cover drop entries in any - case although this may not strictly conform to the Pod Security Standards. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-drop-all - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: >- - variables.allContainers.all(container, - container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'ALL')) - message: "Containers must drop `ALL` capabilities." - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml deleted file mode 100644 index 52603dfff..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-bad01 -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-bad02 -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml deleted file mode 100644 index db8aba8e8..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad-001 -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad-002 -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - containers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml deleted file mode 100644 index 0be20ff85..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad-1 -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad-2 -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index 4f1b188ef..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,154 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 5d9861e55..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-drop-cap-net-raw -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../require-drop-cap-net-raw.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: drop-cap-net-raw - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-containers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-initcontainers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-corner.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml deleted file mode 100644 index ee9c97a56..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-good -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 68ffcadd9..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropcapnetraw-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropcapnetraw-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - diff --git a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index ce4466741..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: drop-cap-net-raw -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/require-drop-cap-net-raw/.kyverno-test/kyverno-test.yaml b/best-practices-cel/require-drop-cap-net-raw/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 0d98c50aa..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-drop-cap-net-raw -policies: -- ../require-drop-cap-net-raw.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: drop-cap-net-raw - resources: - - badpod01 - - badpod02 - result: fail - rule: require-drop-cap-net-raw -- kind: Pod - policy: drop-cap-net-raw - resources: - - drop-good - result: pass - rule: require-drop-cap-net-raw - diff --git a/best-practices-cel/require-drop-cap-net-raw/.kyverno-test/resource.yaml b/best-practices-cel/require-drop-cap-net-raw/.kyverno-test/resource.yaml deleted file mode 100644 index c3ed3af81..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/.kyverno-test/resource.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-good -spec: - initContainers: - - name: init - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: ["CAP_NET_RAW"] - containers: - - name: add-capabilities - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: ["CAP_NET_RAW"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - initContainers: - - name: init - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: ["CAP_NET_RAW"] - containers: - - name: add-capabilities - image: gcr.io/google-samples/node-hello:1.0 - securityContext: - capabilities: - drop: ["CAP_CHOWN"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: add-capabilities - image: gcr.io/google-samples/node-hello:1.0 - diff --git a/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml deleted file mode 100644 index d726f54fe..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-drop-cap-net-raw-cel -version: 1.0.0 -displayName: Drop CAP_NET_RAW in CEL expressions -description: >- - Capabilities permit privileged actions without giving full root access. The CAP_NET_RAW capability, enabled by default, allows processes in a container to forge packets and bind to any interface potentially leading to MitM attacks. This policy ensures that all containers explicitly drop the CAP_NET_RAW ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - Capabilities permit privileged actions without giving full root access. The CAP_NET_RAW capability, enabled by default, allows processes in a container to forge packets and bind to any interface potentially leading to MitM attacks. This policy ensures that all containers explicitly drop the CAP_NET_RAW ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 28cac97e2c441528f12158cc0c6d3c8c07067537831a88d5445a2128b42746b4 -createdAt: "2024-03-15T03:05:47Z" - diff --git a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml deleted file mode 100644 index f6d7440aa..000000000 --- a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: drop-cap-net-raw - annotations: - policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Capabilities permit privileged actions without giving full root access. The - CAP_NET_RAW capability, enabled by default, allows processes in a container to - forge packets and bind to any interface potentially leading to MitM attacks. - This policy ensures that all containers explicitly drop the CAP_NET_RAW - ability. Note that this policy also illustrates how to cover drop entries in any - case although this may not strictly conform to the Pod Security Standards. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-drop-cap-net-raw - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: >- - variables.allContainers.all(container, - container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'CAP_NET_RAW')) - message: >- - Containers must drop the `CAP_NET_RAW` capability. - diff --git a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml b/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml deleted file mode 100644 index 03b941537..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nolabel -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml b/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml deleted file mode 100644 index cdc4a24b7..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/bad-pod-somelabel.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-somelabel - labels: - my.io/foo: bar -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index 8ed5205aa..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqlabels-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqlabels-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-labels/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/require-labels/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 736a57ff0..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-labels -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-labels.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-labels - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pods.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-nolabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-somelabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - diff --git a/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 942a80f75..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqlabels-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - app.kubernetes.io/name: bar - template: - metadata: - labels: - foo: bar - app.kubernetes.io/name: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqlabels-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - app.kubernetes.io/name: bar - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml deleted file mode 100644 index c8603ede8..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/good-pods.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-label - labels: - app.kubernetes.io/name: busybox -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-label - labels: - foo: bar - app.kubernetes.io/name: busybox -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b0bd73c54..000000000 --- a/best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-labels -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/require-labels/.kyverno-test/kyverno-test.yaml b/best-practices-cel/require-labels/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index a04b287cc..000000000 --- a/best-practices-cel/require-labels/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-labels -policies: -- ../require-labels.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-labels - resources: - - badpod01 - - badpod02 - result: fail - rule: check-for-labels -- kind: Pod - policy: require-labels - resources: - - goodpod01 - - goodpod02 - result: pass - rule: check-for-labels - diff --git a/best-practices-cel/require-labels/.kyverno-test/resource.yaml b/best-practices-cel/require-labels/.kyverno-test/resource.yaml deleted file mode 100644 index 95d5b6250..000000000 --- a/best-practices-cel/require-labels/.kyverno-test/resource.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - my.io/foo: bar -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app.kubernetes.io/name: nginx -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - foo: bar - app.kubernetes.io/name: nginx -spec: - containers: - - name: nginx - image: nginx:1.12 - diff --git a/best-practices-cel/require-labels/artifacthub-pkg.yml b/best-practices-cel/require-labels/artifacthub-pkg.yml deleted file mode 100644 index 7baa78674..000000000 --- a/best-practices-cel/require-labels/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-labels-cel -version: 1.0.0 -displayName: Require Labels in CEL expressions -description: >- - Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/require-labels/require-labels.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Label" -digest: 90e1ceb1c27f70169fcd448cb48df4c7694d8252e060da24c7b2e9bb16a4fc88 -createdAt: "2024-03-06T19:31:45Z" - diff --git a/best-practices-cel/require-labels/require-labels.yaml b/best-practices-cel/require-labels/require-labels.yaml deleted file mode 100644 index 12a2062e6..000000000 --- a/best-practices-cel/require-labels/require-labels.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-labels - annotations: - policies.kyverno.io/title: Require Labels in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Label - policies.kyverno.io/description: >- - Define and use labels that identify semantic attributes of your application or Deployment. - A common set of labels allows tools to work collaboratively, describing objects in a common manner that - all tools can understand. The recommended labels describe applications in a way that can be - queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-for-labels - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?labels[?'app.kubernetes.io/name'].orValue('') != "" - message: "The label `app.kubernetes.io/name` is required." - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml deleted file mode 100644 index 96298e35e..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nolimit - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml deleted file mode 100644 index c44ecdabd..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nores - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nores - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml deleted file mode 100644 index a411df45b..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml +++ /dev/null @@ -1,12 +0,0 @@ - -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nothing - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index 13d8c4af1..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqpodlimits-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - - name: busybox-again - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqpodlimits-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - - name: busybox-again - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 3341b2924..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-pod-requests-limits -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-pod-requests-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-requests-limits - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pods.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-nolimit.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-nores.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-nothing.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index e6f246f66..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqpodlimits-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqpodlimits-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml deleted file mode 100644 index 7129d56dc..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/good-pods.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - diff --git a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index f6710ff99..000000000 --- a/best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/require-pod-requests-limits/.kyverno-test/kyverno-test.yaml b/best-practices-cel/require-pod-requests-limits/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 657d5d5cc..000000000 --- a/best-practices-cel/require-pod-requests-limits/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-requests-limits -policies: -- ../require-pod-requests-limits.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-requests-limits - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail - rule: validate-resources -- kind: Pod - policy: require-requests-limits - resources: - - goodpod01 - - goodpod02 - result: pass - rule: validate-resources - diff --git a/best-practices-cel/require-pod-requests-limits/.kyverno-test/resource.yaml b/best-practices-cel/require-pod-requests-limits/.kyverno-test/resource.yaml deleted file mode 100644 index 73962a2dc..000000000 --- a/best-practices-cel/require-pod-requests-limits/.kyverno-test/resource.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" - diff --git a/best-practices-cel/require-pod-requests-limits/artifacthub-pkg.yml b/best-practices-cel/require-pod-requests-limits/artifacthub-pkg.yml deleted file mode 100644 index 894ba6f8e..000000000 --- a/best-practices-cel/require-pod-requests-limits/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-pod-requests-limits-cel -version: 1.0.0 -displayName: Require Limits and Requests in CEL expressions -description: >- - As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml - ``` -keywords: - - kyverno - - Best Practices - - EKS Best Practices - - CEL Expressions -readme: | - As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 68eb214fbee5f70f276845c2083cfadc942ed0d45c8237462a152771cdc7c299 -createdAt: "2024-03-15T03:34:10Z" - diff --git a/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml b/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml deleted file mode 100644 index 35e0fca07..000000000 --- a/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits - annotations: - policies.kyverno.io/title: Require Limits and Requests in CEL expressions - policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - As application workloads share cluster resources, it is important to limit resources - requested and consumed by each Pod. It is recommended to require resource requests and - limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, - defaults will automatically be applied to each Pod based on the LimitRange configuration. - This policy validates that all containers have something specified for memory and CPU - requests and memory limits. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-resources - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - has(container.resources) && - has(container.resources.requests) && - has(container.resources.requests.memory) && - has(container.resources.requests.cpu) && - has(container.resources.limits) && - has(container.resources.limits.memory)) - message: "CPU and memory resource requests and limits are required." - diff --git a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml b/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml deleted file mode 100644 index 16db057b5..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-notall.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - diff --git a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml b/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml deleted file mode 100644 index 3bd091b3d..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index c01e7dd10..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqprobes-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-probes/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/require-probes/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 7a5fba016..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-probes -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-probes.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-pod-probes - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pods.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-nothing.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-notall.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - diff --git a/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 1d456fd8c..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqprobes-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - diff --git a/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml deleted file mode 100644 index ed297dab1..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/good-pods.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - startupProbe: - grpc: - port: 8888 - diff --git a/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index c93bde46e..000000000 --- a/best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-pod-probes -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/require-probes/.kyverno-test/kyverno-test.yaml b/best-practices-cel/require-probes/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 3a8978421..000000000 --- a/best-practices-cel/require-probes/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-pod-probes -policies: -- ../require-probes.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-pod-probes - resources: - - badpod01 - - badpod02 - result: fail - rule: validate-probes -- kind: Pod - policy: require-pod-probes - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - result: pass - rule: validate-probes - diff --git a/best-practices-cel/require-probes/.kyverno-test/resource.yaml b/best-practices-cel/require-probes/.kyverno-test/resource.yaml deleted file mode 100644 index 0c742c9e4..000000000 --- a/best-practices-cel/require-probes/.kyverno-test/resource.yaml +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox - image: busybox - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: asfadsasfasdf:0.1 - startupProbe: - grpc: - port: 8888 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - ports: - - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - - name: nginx - image: nginx:latest - diff --git a/best-practices-cel/require-probes/artifacthub-pkg.yml b/best-practices-cel/require-probes/artifacthub-pkg.yml deleted file mode 100644 index fba1c4b28..000000000 --- a/best-practices-cel/require-probes/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-probes-cel -version: 1.0.0 -displayName: Require Pod Probes in CEL expressions -description: >- - Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are running or need to be restarted. A `readinessProbe` is used by Services and Deployments to determine if the Pod is ready to receive network traffic. This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/require-probes/require-probes.yaml - ``` -keywords: - - kyverno - - Best Practices - - EKS Best Practices - - CEL Expressions -readme: | - Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are running or need to be restarted. A `readinessProbe` is used by Services and Deployments to determine if the Pod is ready to receive network traffic. This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 4c8b625397475449d6c047c78b460ea943ca9753526790bbc725e75163534dd9 -createdAt: "2024-03-10T14:28:37Z" - diff --git a/best-practices-cel/require-probes/require-probes.yaml b/best-practices-cel/require-probes/require-probes.yaml deleted file mode 100644 index cf14da6f9..000000000 --- a/best-practices-cel/require-probes/require-probes.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-pod-probes - annotations: - pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet - policies.kyverno.io/title: Require Pod Probes in CEL expressions - policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Liveness and readiness probes need to be configured to correctly manage a Pod's - lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic - `livenessProbe` is performed by the kubelet to determine if the Pod's containers - are running or need to be restarted. A `readinessProbe` is used by Services - and Deployments to determine if the Pod is ready to receive network traffic. - This policy validates that all containers have one of livenessProbe, readinessProbe, - or startupProbe defined. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-probes - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - has(container.livenessProbe) || - has(container.startupProbe) || - has(container.readinessProbe)) - message: "Liveness, readiness, or startup probes are required for all containers." - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml deleted file mode 100644 index f6a698dcc..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: false - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml deleted file mode 100644 index 137ed694b..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-roroot -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-roroot -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml deleted file mode 100644 index 8bf520fc5..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-roroot -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index 3ee6cb481..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqro-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 9857eaa9b..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-ro-rootfs -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-ro-rootfs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-ro-rootfs - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pods.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-nothing.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-notall.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-false.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 17d8fbfab..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqprobes-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml deleted file mode 100644 index e85753a35..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/good-pods.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-roroot -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-roroot -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - diff --git a/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml b/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 0e1123025..000000000 --- a/best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ro-rootfs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/require-ro-rootfs/.kyverno-test/kyverno-test.yaml b/best-practices-cel/require-ro-rootfs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 0534a97e0..000000000 --- a/best-practices-cel/require-ro-rootfs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-ro-rootfs -policies: -- ../require-ro-rootfs.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-ro-rootfs - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail - rule: validate-readOnlyRootFilesystem -- kind: Pod - policy: require-ro-rootfs - resources: - - goodpod01 - - goodpod02 - result: pass - rule: validate-readOnlyRootFilesystem - diff --git a/best-practices-cel/require-ro-rootfs/.kyverno-test/resource.yaml b/best-practices-cel/require-ro-rootfs/.kyverno-test/resource.yaml deleted file mode 100644 index f55bd12bc..000000000 --- a/best-practices-cel/require-ro-rootfs/.kyverno-test/resource.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: ghost - image: ghost - securityContext: - readOnlyRootFilesystem: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: ghost - image: ghost ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: ghost - image: ghost - - name: busybox - image: busybox - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: ghost - image: ghost - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: ghost - image: ghost - securityContext: - readOnlyRootFilesystem: true - - name: nginx - image: nginx - securityContext: - readOnlyRootFilesystem: true - diff --git a/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml b/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml deleted file mode 100644 index 187f4bc4d..000000000 --- a/best-practices-cel/require-ro-rootfs/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-ro-rootfs-cel -version: 1.0.0 -displayName: Require Read-Only Root Filesystem in CEL expressions -description: >- - A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml - ``` -keywords: - - kyverno - - Best Practices - - EKS Best Practices - - CEL Expressions -readme: | - A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: fe244b770ce2bc266f6af712404255b2968f26448614498fdf2f103ae82a1343 -createdAt: "2024-03-07T12:35:00Z" - diff --git a/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml deleted file mode 100644 index fcb7473d5..000000000 --- a/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ro-rootfs - annotations: - policies.kyverno.io/title: Require Read-Only Root Filesystem in CEL expressions - policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/minversion: 1.11.0 - policies.kyverno.io/description: >- - A read-only root file system helps to enforce an immutable infrastructure strategy; - the container only needs to write on the mounted volume that persists the state. - An immutable root filesystem can also prevent malicious binaries from writing to the - host system. This policy validates that containers define a securityContext - with `readOnlyRootFilesystem: true`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-readOnlyRootFilesystem - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - container.?securityContext.?readOnlyRootFilesystem.orValue(false) == true) - message: "Root filesystem must be read-only." - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-false.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-false.yaml deleted file mode 100644 index 2876a5024..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-false.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-registry -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml deleted file mode 100644 index c46ebaf5e..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod04-registry -spec: - containers: - - name: k8s-nginx - image: nginx - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-notall.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-notall.yaml deleted file mode 100644 index 591ee4d47..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-notall.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-registry -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 - - name: busybox - image: bar.io/busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-registry -spec: - containers: - - name: busybox - image: eu.foo.io/busybox - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index d99cb3c8c..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,141 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: busybox-init - image: ghcr.io/kyverno/test-busybox - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: k8s-nginx - image: bar.io/nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: nginx-init - image: eu.foo.io/nginx - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: nginx - image: eu.foo.io/nginx ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqro-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: busybox-init - image: ghcr.io/kyverno/test-busybox - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: k8s-nginx - image: bar.io/nginx ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqro-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: nginx-init - image: eu.foo.io/nginx - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqro-badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: nginx - image: eu.foo.io/nginx - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 9ee72fa4e..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,64 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-image-registries -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../restrict-image-registries.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-image-registries - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pods.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-noregistry.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-notall.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-false.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml - - name: step-03 - try: - - script: - content: if kubectl debug -it goodpod02-registry --image=busybox:1.35 --target=k8s-nginx - -n ir-pods-namespace; then exit 1; else exit 0; fi; - - name: step-98 - try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n ir-pods-namespace - - script: - content: kubectl delete pods --all --force --grace-period=0 -n ir-pods-namespace - - script: - content: kubectl delete cronjobs --all --force --grace-period=0 -n ir-pods-namespace - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/good-podcontrollers.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 48f74daff..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-gooddeployment01 - namespace: ir-pods-namespace -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: busybox-init - image: eu.foo.io/busybox - containers: - - name: busybox - image: eu.foo.io/nginx - - name: k8s-nginx - image: bar.io/nginx ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqprobes-goodcronjob01 - namespace: ir-pods-namespace -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - - name: busybox-init - image: eu.foo.io/busybox - containers: - - name: busybox - image: eu.foo.io/nginx - - name: k8s-nginx - image: bar.io/nginx - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/good-pods.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/good-pods.yaml deleted file mode 100644 index d092314d7..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/good-pods.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ir-pods-namespace ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-registry - namespace: ir-pods-namespace -spec: - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - containers: - - name: k8s-nginx - image: eu.foo.io/nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-registry - namespace: ir-pods-namespace -spec: - initContainers: - - name: nginx-init - image: bar.io/nginx - - name: busybox-init - image: eu.foo.io/busybox - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: busybox - image: eu.foo.io/busybox - diff --git a/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml b/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5bb42adbe..000000000 --- a/best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-image-registries -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/restrict-image-registries/.kyverno-test/kyverno-test.yaml b/best-practices-cel/restrict-image-registries/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 11a15e2b4..000000000 --- a/best-practices-cel/restrict-image-registries/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-image-registries -policies: -- ../restrict-image-registries.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: restrict-image-registries - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - result: fail - rule: validate-registries -- kind: Pod - policy: restrict-image-registries - resources: - - goodpod01 - - goodpod02 - - goodpod03 - result: pass - rule: validate-registries - diff --git a/best-practices-cel/restrict-image-registries/.kyverno-test/resource.yaml b/best-practices-cel/restrict-image-registries/.kyverno-test/resource.yaml deleted file mode 100644 index 0f7628233..000000000 --- a/best-practices-cel/restrict-image-registries/.kyverno-test/resource.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 - - name: busybox - image: bar.io/busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 - - name: busybox - image: eu.foo.io/busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: k8s-nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: k8s-nginx - image: eu.foo.io/nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: k8s-nginx - image: bar.io/nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: busybox - image: eu.foo.io/busybox - diff --git a/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml b/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml deleted file mode 100644 index c7dce3b39..000000000 --- a/best-practices-cel/restrict-image-registries/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-image-registries-cel -version: 1.0.0 -displayName: Restrict Image Registries in CEL expressions -description: >- - Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml - ``` -keywords: - - kyverno - - Best Practices - - EKS Best Practices - - CEL Expressions -readme: | - Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 8fbe80e4d4b26e2a2acc2160d52bf5b88c4f137567ea569e086439fc1fe1bd49 -createdAt: "2024-03-07T13:35:11Z" - diff --git a/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml b/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml deleted file mode 100644 index 91db27a80..000000000 --- a/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-image-registries - annotations: - policies.kyverno.io/title: Restrict Image Registries in CEL expressions - policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Images from unknown, public registries can be of dubious quality and may not be - scanned and secured, representing a high degree of risk. Requiring use of known, approved - registries helps reduce threat exposure by ensuring image pulls only come from them. This - policy validates that container images only originate from the registry `eu.foo.io` or - `bar.io`. Use of this policy requires customization to define your allowable registries. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-registries - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: "variables.allContainers.all(container, container.image.startsWith('eu.foo.io/') || container.image.startsWith('bar.io/'))" - message: "Unknown image registry." - diff --git a/best-practices-cel/restrict-node-port/.chainsaw-test/bad-service-nodeport.yaml b/best-practices-cel/restrict-node-port/.chainsaw-test/bad-service-nodeport.yaml deleted file mode 100644 index 5ff22f5cf..000000000 --- a/best-practices-cel/restrict-node-port/.chainsaw-test/bad-service-nodeport.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01-np -spec: - ports: - - name: http - nodePort: 31080 - port: 80 - protocol: TCP - targetPort: 8080 - type: NodePort - diff --git a/best-practices-cel/restrict-node-port/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/restrict-node-port/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index f0487517f..000000000 --- a/best-practices-cel/restrict-node-port/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-node-port -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-node-port.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-nodeport - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-services.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-service-nodeport.yaml - diff --git a/best-practices-cel/restrict-node-port/.chainsaw-test/good-services.yaml b/best-practices-cel/restrict-node-port/.chainsaw-test/good-services.yaml deleted file mode 100644 index 8e1fa3e98..000000000 --- a/best-practices-cel/restrict-node-port/.chainsaw-test/good-services.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01-np -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: goodservice02-np -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - type: LoadBalancer - diff --git a/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml b/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index d6c481fb7..000000000 --- a/best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-nodeport -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/restrict-node-port/.kyverno-test/kyverno-test.yaml b/best-practices-cel/restrict-node-port/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 964ef12f5..000000000 --- a/best-practices-cel/restrict-node-port/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-node-port -policies: -- ../restrict-node-port.yaml -resources: -- resource.yaml -results: -- kind: Service - policy: restrict-nodeport - resources: - - badservice01 - result: fail - rule: validate-nodeport -- kind: Service - policy: restrict-nodeport - resources: - - goodservice01 - - goodservice02 - result: pass - rule: validate-nodeport - diff --git a/best-practices-cel/restrict-node-port/.kyverno-test/resource.yaml b/best-practices-cel/restrict-node-port/.kyverno-test/resource.yaml deleted file mode 100644 index 5100a8514..000000000 --- a/best-practices-cel/restrict-node-port/.kyverno-test/resource.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01 -spec: - ports: - - name: http - nodePort: 31080 - port: 80 - protocol: TCP - targetPort: 8080 - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - name: goodservice01 -spec: - ports: - - name: http - nodePort: 31080 - port: 80 - protocol: TCP - targetPort: 8080 - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: goodservice02 -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - type: LoadBalancer - diff --git a/best-practices-cel/restrict-node-port/artifacthub-pkg.yml b/best-practices-cel/restrict-node-port/artifacthub-pkg.yml deleted file mode 100644 index 8118d2e63..000000000 --- a/best-practices-cel/restrict-node-port/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-node-port-cel -version: 1.0.0 -displayName: Disallow NodePort in CEL expressions -description: >- - A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/restrict-node-port/restrict-node-port.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Service" -digest: 94702e242c40699edeccac5f44c1d481c5b0426396eb3de4ed2ca771aed7868e -createdAt: "2024-03-06T14:04:34Z" - diff --git a/best-practices-cel/restrict-node-port/restrict-node-port.yaml b/best-practices-cel/restrict-node-port/restrict-node-port.yaml deleted file mode 100644 index 9ea76c4b4..000000000 --- a/best-practices-cel/restrict-node-port/restrict-node-port.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-nodeport - annotations: - policies.kyverno.io/title: Disallow NodePort in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Service - policies.kyverno.io/description: >- - A Kubernetes Service of type NodePort uses a host port to receive traffic from - any source. A NetworkPolicy cannot be used to control traffic to host ports. - Although NodePort Services can be useful, their use must be limited to Services - with additional upstream security checks. This policy validates that any new Services - do not use the `NodePort` type. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-nodeport - match: - any: - - resources: - kinds: - - Service - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "has(object.spec.type) ? (object.spec.type != 'NodePort') : true" - message: "Services of type NodePort are not allowed." - diff --git a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/bad-service-oneip.yaml b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/bad-service-oneip.yaml deleted file mode 100644 index 16dab36c1..000000000 --- a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/bad-service-oneip.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 - diff --git a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/bad-service-twoeip.yaml b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/bad-service-twoeip.yaml deleted file mode 100644 index c448876c0..000000000 --- a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/bad-service-twoeip.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice02-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 - - 37.10.11.53 - diff --git a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index add3f7d80..000000000 --- a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-service-external-ips -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-service-external-ips.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-external-ips - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-services.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-service-oneip.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-service-twoeip.yaml - diff --git a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/good-services.yaml b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/good-services.yaml deleted file mode 100644 index cdaa47e6e..000000000 --- a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/good-services.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - diff --git a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml b/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 164fecbff..000000000 --- a/best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices-cel/restrict-service-external-ips/.kyverno-test/kyverno-test.yaml b/best-practices-cel/restrict-service-external-ips/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 9fa1e0430..000000000 --- a/best-practices-cel/restrict-service-external-ips/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-external-ips -policies: -- ../restrict-service-external-ips.yaml -resources: -- resource.yaml -results: -- kind: Service - policy: restrict-external-ips - resources: - - badservice01 - - badservice02 - result: fail - rule: check-ips -- kind: Service - policy: restrict-external-ips - resources: - - goodservice01 - result: pass - rule: check-ips - diff --git a/best-practices-cel/restrict-service-external-ips/.kyverno-test/resource.yaml b/best-practices-cel/restrict-service-external-ips/.kyverno-test/resource.yaml deleted file mode 100644 index ad3d09a12..000000000 --- a/best-practices-cel/restrict-service-external-ips/.kyverno-test/resource.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01 -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 ---- -apiVersion: v1 -kind: Service -metadata: - name: badservice01 -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 ---- -apiVersion: v1 -kind: Service -metadata: - name: badservice02 -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 - - 37.10.11.53 - diff --git a/best-practices-cel/restrict-service-external-ips/artifacthub-pkg.yml b/best-practices-cel/restrict-service-external-ips/artifacthub-pkg.yml deleted file mode 100644 index c89fc356a..000000000 --- a/best-practices-cel/restrict-service-external-ips/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-service-external-ips-cel -version: 1.0.0 -displayName: Restrict External IPs in CEL expressions -description: >- - Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Service" -digest: dae3c0bf20b0a1a0f3ad7e395d3c05742a4e6ec87813bb16d63eae2ebaa9a744 -createdAt: "2024-03-07T05:48:27Z" - diff --git a/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml deleted file mode 100644 index 4d75de9da..000000000 --- a/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips - annotations: - policies.kyverno.io/title: Restrict External IPs in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Service - policies.kyverno.io/description: >- - Service externalIPs can be used for a MITM attack (CVE-2020-8554). - Restrict externalIPs or limit to a known set of addresses. - See: https://github.com/kyverno/kyverno/issues/1367. This policy validates - that the `externalIPs` field is not set on a Service. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-ips - match: - any: - - resources: - kinds: - - Service - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!has(object.spec.externalIPs)" - # restrict external IP addresses - # you can alternatively restrict to a known set of addresses using: - # !has(object.spec.externalIPs) || - # object.spec.externalIPs.all(ip, ip in ["37.10.11.53", "153.10.20.1"]) - message: "externalIPs are not allowed." - diff --git a/best-practices/add-network-policy/.chainsaw-test/chainsaw-test.yaml b/best-practices/add-network-policy/.chainsaw-test/chainsaw-test.yaml index 7f0850809..007255763 100755 --- a/best-practices/add-network-policy/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/add-network-policy/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml b/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml index 0cda6e225..cf7a8d910 100644 --- a/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml +++ b/best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-networkpolicy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/best-practices/add-networkpolicy-dns/.chainsaw-test/chainsaw-test.yaml b/best-practices/add-networkpolicy-dns/.chainsaw-test/chainsaw-test.yaml index 995b3bab6..730712131 100755 --- a/best-practices/add-networkpolicy-dns/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/add-networkpolicy-dns/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml b/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml index 9e5775610..caeb4c6cc 100644 --- a/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml +++ b/best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-networkpolicy-dns status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/best-practices/add-ns-quota/.chainsaw-test/chainsaw-test.yaml b/best-practices/add-ns-quota/.chainsaw-test/chainsaw-test.yaml index cbeba71aa..f8f108e49 100755 --- a/best-practices/add-ns-quota/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/add-ns-quota/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml b/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml index b4aa53546..4b51cee90 100644 --- a/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml +++ b/best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-ns-quota status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml b/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml index 00d533e11..fcf6df6b7 100755 --- a/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml +++ b/best-practices/add-rolebinding/.chainsaw-test/chainsaw-step-00-apply-1.yaml @@ -5,7 +5,6 @@ metadata: app.kubernetes.io/component: background-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - rbac.kyverno.io/aggregate-to-admission-controller: "true" name: kyverno:background-controller:addrolebinding rules: - apiGroups: diff --git a/best-practices/add-rolebinding/.chainsaw-test/chainsaw-test.yaml b/best-practices/add-rolebinding/.chainsaw-test/chainsaw-test.yaml index bba6f3f03..ae28d6ae5 100755 --- a/best-practices/add-rolebinding/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/add-rolebinding/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -22,8 +21,6 @@ spec: content: | #!/bin/bash set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp export USERNAME=addrbuser export CA=ca.crt #### Get CA certificate from kubeconfig assuming it's the first in the list. @@ -59,21 +56,23 @@ spec: kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER # Delete CSR kubectl delete csr $USERNAME + - name: step-03 + try: - apply: file: chainsaw-step-03-apply-1.yaml - apply: file: chainsaw-step-03-apply-2.yaml + - name: step-04 + try: - apply: file: ns.yaml - - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl create --context=addrbuser-context -f ns-rb.yaml - finally: - - script: - content: | - rm ./temp + - command: + args: + - create + - --context=addrbuser-context + - -f + - ns-rb.yaml + entrypoint: kubectl - name: step-05 try: - assert: @@ -82,5 +81,21 @@ spec: file: rb-not-gen.yaml - name: step-06 try: - - script: - content: kubectl delete -f ns-rb.yaml + - command: + args: + - config + - unset + - users.addrbuser + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.addrbuser-context + entrypoint: kubectl + - command: + args: + - delete + - -f + - ns-rb.yaml + entrypoint: kubectl diff --git a/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml b/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml index 4c84112c8..50f7cff4e 100644 --- a/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml +++ b/best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-rolebinding status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/best-practices/add-safe-to-evict/.chainsaw-test/chainsaw-test.yaml b/best-practices/add-safe-to-evict/.chainsaw-test/chainsaw-test.yaml index f047957de..3e3cf1cc8 100755 --- a/best-practices/add-safe-to-evict/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/add-safe-to-evict/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml b/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml index d3497a788..07388b1b3 100644 --- a/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml +++ b/best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-safe-to-evict status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml b/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml index 1f7263ed5..0b11299ff 100644 --- a/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml +++ b/best-practices/add-safe-to-evict/.chainsaw-test/resource-others.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,7 +16,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/local/aaa name: myfile @@ -34,7 +34,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/local/aaa name: myfile diff --git a/best-practices/check-deprecated-apis/artifacthub-pkg.yml b/best-practices/check-deprecated-apis/artifacthub-pkg.yml index 9867bc3e1..a3eb252f5 100644 --- a/best-practices/check-deprecated-apis/artifacthub-pkg.yml +++ b/best-practices/check-deprecated-apis/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Kubernetes APIs" -digest: 09653e37ea3310586e5df7cec4acff0324adb3fe9320b678603a17aba3a533f6 +digest: 9dedc3fa982568993975fdc213018f1eca5e0a6bea9bab2111bcfb5b86cdbb7a diff --git a/best-practices/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices/check-deprecated-apis/check-deprecated-apis.yaml index 53cddac2c..2b49b4421 100644 --- a/best-practices/check-deprecated-apis/check-deprecated-apis.yaml +++ b/best-practices/check-deprecated-apis/check-deprecated-apis.yaml @@ -21,7 +21,7 @@ metadata: so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-v1-25-removals diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..dff1a66ea --- /dev/null +++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-container-sock-mounts +status: + ready: true diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml index 849553fc4..7b6c30604 100755 --- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-cri-sock-mount.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-container-sock-mounts - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-cri-sock-mount.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -48,3 +40,10 @@ spec: file: pod-emptydir-vol.yaml - apply: file: pod-no-volumes.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-container-sock-mounts diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml index f06eb8761..9d277ba40 100644 --- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml +++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-emptydir-vol.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - sleep - "3600" diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml index aad47b636..38ed58659 100644 --- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml +++ b/best-practices/disallow-cri-sock-mount/.chainsaw-test/pod-no-volumes.yaml @@ -6,7 +6,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - sleep - "3600" \ No newline at end of file diff --git a/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 0e6bde6b2..000000000 --- a/best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-container-sock-mounts -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml index 9faedfd9c..74eca9731 100644 --- a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml +++ b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: b7aacfae0ed85dc7afb57577522918326e09091e249c0a92a8d95dbab4043430 +digest: 1e927de12a6f539378e0710992be05671bbb0dc0fee04a74e2f6602645b4158c diff --git a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml index b23b555e0..8d9beb5f9 100644 --- a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml +++ b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml @@ -16,7 +16,7 @@ metadata: to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-docker-sock-mount diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..1251ec4c8 --- /dev/null +++ b/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-default-namespace +status: + ready: true diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/ns.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml similarity index 100% rename from best-practices/disallow-default-namespace/.chainsaw-test/ns.yaml rename to best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml index 0df2e4cbb..8a6fa02f1 100755 --- a/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-default-namespace/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,22 +7,15 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-default-namespace.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-default-namespace - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-default-namespace.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: ns.yaml + file: chainsaw-step-02-apply-1.yaml - name: step-03 try: - apply: @@ -53,3 +45,10 @@ spec: - check: ($error != null): true file: deploy-default.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-default-namespace diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml index 9f6a91e16..04bbabfd3 100644 --- a/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml +++ b/best-practices/disallow-default-namespace/.chainsaw-test/deploy-default.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml index 27dd35dcf..a0750b55b 100644 --- a/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml +++ b/best-practices/disallow-default-namespace/.chainsaw-test/ds-default.yaml @@ -13,7 +13,7 @@ spec: name: good-daemonset spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml index 909ea1956..972e5f5f8 100644 --- a/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml +++ b/best-practices/disallow-default-namespace/.chainsaw-test/good-resources.yaml @@ -29,7 +29,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" @@ -50,7 +50,7 @@ spec: name: good-daemonset spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" @@ -65,7 +65,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" @@ -90,7 +90,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml index a32cc5859..da19ac9c9 100644 --- a/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml +++ b/best-practices/disallow-default-namespace/.chainsaw-test/job-default.yaml @@ -7,7 +7,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 077564486..000000000 --- a/best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-default-namespace -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml b/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml index 6c14a6d06..be2fca2fb 100644 --- a/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml +++ b/best-practices/disallow-default-namespace/.chainsaw-test/ss-default.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox command: - "sleep" diff --git a/best-practices/disallow-default-namespace/artifacthub-pkg.yml b/best-practices/disallow-default-namespace/artifacthub-pkg.yml index d348b763a..974742f52 100644 --- a/best-practices/disallow-default-namespace/artifacthub-pkg.yml +++ b/best-practices/disallow-default-namespace/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Multi-Tenancy" kyverno/subject: "Pod" -digest: 955cfe7ba81e4c1d8f8aeea55a675138a8aea710342a7691a12feeb13b316bc4 +digest: 6b0d2126956d201e29d7303a09d913a4708a24ab011973c7d3b16e23f254cdd5 diff --git a/best-practices/disallow-default-namespace/disallow-default-namespace.yaml b/best-practices/disallow-default-namespace/disallow-default-namespace.yaml index 10aa9a6d5..a1afe3a84 100644 --- a/best-practices/disallow-default-namespace/disallow-default-namespace.yaml +++ b/best-practices/disallow-default-namespace/disallow-default-namespace.yaml @@ -18,7 +18,7 @@ metadata: due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-namespace diff --git a/best-practices/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml index e2f1b81f1..1eefca6e8 100755 --- a/best-practices/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,14 +9,6 @@ spec: try: - apply: file: ../disallow-empty-ingress-host.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-empty-ingress-host - spec: - validationFailureAction: Enforce - assert: file: policy-ready.yaml - name: step-02 @@ -39,3 +30,10 @@ spec: - check: ($error != null): true file: no-host-success-first.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-empty-ingress-host diff --git a/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml index 957e645c5..36ff57cd3 100644 --- a/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml +++ b/best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-empty-ingress-host status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml b/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml index 5baa5dbb3..35a403ede 100644 --- a/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml +++ b/best-practices/disallow-empty-ingress-host/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Ingress" -digest: dc6573e0a73eeb6e698fff33c86c2ec05af93d470f13a92e9af6a1cac6538721 +digest: f9e70cf095e2d69a9586d7b8071975006e76aa715e5c978d37761c03ac6fc7fd diff --git a/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml index daf459b8c..142f6323d 100644 --- a/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml +++ b/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml @@ -13,7 +13,7 @@ metadata: in order to be valid. This policy ensures that there is a hostname for each rule defined. spec: - validationFailureAction: Audit + validationFailureAction: enforce background: false rules: - name: disallow-empty-ingress-host diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml index ba78801ea..5fbfecc4b 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml @@ -15,12 +15,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox - name: busybox + - image: busybox + name: busybox:1.35 - image: docker.io/tiller:latest name: helm-tiller - initContainers: - - image: ghcr.io/kyverno/test-busybox - name: busyboxinit - - image: docker.io/tiller:latest - name: helm-tillerinit diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml index 5d43c5e2f..56caf1bbb 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml @@ -7,9 +7,4 @@ spec: - name: helm-tiller image: docker.io/tiller:latest - name: somebox - image: ghcr.io/kyverno/test-busybox:1.35 - initContainers: - - name: helm-tillerinit - image: docker.io/tiller:latest - - name: someboxinit - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml index 6a90dc9e0..ba3bc5292 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml @@ -5,11 +5,6 @@ metadata: spec: containers: - name: somebox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: helm-tiller - image: docker.io/tiller:latest - initContainers: - - name: someboxinit - image: ghcr.io/kyverno/test-busybox:1.35 - - name: helm-tillerinit - image: docker.io/tiller:latest + image: docker.io/tiller:latest \ No newline at end of file diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml index e35960061..447689170 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml @@ -5,7 +5,4 @@ metadata: spec: containers: - name: helm-tiller - image: docker.io/tiller:latest - initContainers: - - name: helm-tillerinit - image: docker.io/tiller:latest + image: docker.io/tiller:latest \ No newline at end of file diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..60a2fd6e4 --- /dev/null +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-helm-tiller +status: + ready: true diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml index 982fedabe..a99a2a589 100755 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-helm-tiller.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-helm-tiller - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-helm-tiller.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -46,3 +38,10 @@ spec: - check: ($error != null): true file: bad-pod-success-first.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-helm-tiller diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml index 7026f8506..915bbaf8c 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml @@ -15,10 +15,6 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:v1.35 name: busybox - command: ["sleep", "3600"] - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busyboxinit - command: ["sleep", "3600"] + command: ["sleep", "3600"] \ No newline at end of file diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml index 8db8c9b8a..0743299d4 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml @@ -5,11 +5,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:v1.35 - name: nothelmbox - image: ghcr.io/kyverno/test-busybox:1.35 - initContainers: - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox:1.35 - - name: nothelmboxinit - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:v1.35 \ No newline at end of file diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index e97801af1..000000000 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-helm-tiller -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml index 08dcde836..c015402a8 100644 --- a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml +++ b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml @@ -6,10 +6,6 @@ spec: containers: - name: helm-tiller image: docker.io/tiller:latest - initContainers: - - name: helm-tillerinit - image: docker.io/tiller:latest - --- apiVersion: v1 kind: Pod @@ -21,11 +17,6 @@ spec: image: busybox:1.28 - name: helm-tiller image: docker.io/tiller:latest - initContainers: - - name: busyboxinit - image: busybox:1.28 - - name: helm-tillerinit - image: docker.io/tiller:latest --- apiVersion: v1 kind: Pod @@ -35,9 +26,6 @@ spec: containers: - name: busybox image: busybox - initContainers: - - name: busyboxinit - image: busybox --- apiVersion: v1 kind: Pod @@ -49,11 +37,6 @@ spec: image: busybox - name: nginx image: nginx - initContainers: - - name: busyboxinit - image: busybox - - name: nginxinit - image: nginx --- apiVersion: apps/v1 kind: Deployment @@ -76,10 +59,6 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] - initContainers: - - image: busybox:1.28 - name: busyboxinit - command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -101,6 +80,3 @@ spec: containers: - image: docker.io/tiller:latest name: helm-tiller - initContainers: - - image: docker.io/tiller:latest - name: helm-tillerinit diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml index 7ec212d25..e34f3355c 100644 --- a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml +++ b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 805b3c00f0620c83eea3c1e0acb2c39aa3dfd8b4414e05a369083565ab4c6652 +digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4 diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml index 1ab0c4f4b..61dd8c74d 100644 --- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -11,11 +11,11 @@ metadata: policies.kyverno.io/description: >- Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as - restricted users can impact other users. It is recommended to use Helm v3+ which does not contain + restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-helm-tiller @@ -26,13 +26,8 @@ spec: - Pod validate: message: "Helm Tiller is not allowed" - foreach: - - list: "request.object.spec.containers" - pattern: - image: "!*tiller*" - - list: "request.object.spec.initContainers" - pattern: - image: "!*tiller*" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "!*tiller*" + pattern: + spec: + containers: + - name: "*" + image: "!*tiller*" diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml index df5287644..2184f875b 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml @@ -5,11 +5,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 - initContainers: - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox:latest - - name: nginxinit - image: ghcr.io/kyverno/test-nginx:1.35 + image: nginx:1.35 \ No newline at end of file diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml index 5d2719a63..43e17164c 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml @@ -5,11 +5,6 @@ metadata: spec: containers: - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 + image: nginx:1.35 - name: busybox - image: ghcr.io/kyverno/test-busybox:latest - initContainers: - - name: nginxinit - image: ghcr.io/kyverno/test-nginx:1.35 - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest \ No newline at end of file diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml index 8f3d04168..7a599f75c 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml @@ -5,14 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 - initContainers: - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox - - name: nginxinit - image: ghcr.io/kyverno/test-nginx:1.35 + image: nginx:1.35 --- apiVersion: v1 kind: Pod @@ -21,14 +16,9 @@ metadata: spec: containers: - name: nginx - image: ghcr.io/kyverno/test-nginx:1.35 + image: nginx:1.35 - name: busybox - image: ghcr.io/kyverno/test-busybox - initContainers: - - name: nginxinit - image: ghcr.io/kyverno/test-nginx:1.35 - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox + image: busybox --- apiVersion: v1 kind: Pod @@ -37,11 +27,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox - name: nginx - image: ghcr.io/kyverno/test-nginx:latest - initContainers: - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox - - name: nginxinit - image: ghcr.io/kyverno/test-nginx:latest + image: nginx:latest \ No newline at end of file diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..4431d2055 --- /dev/null +++ b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +status: + ready: true diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml index d5e9fb6f8..8b189a8d8 100755 --- a/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-latest-tag.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-latest-tag - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-latest-tag.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -39,3 +31,10 @@ spec: - check: ($error != null): true file: bad-pod-no-tag.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-latest-tag diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml index 16cb4772a..679a87f5c 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml @@ -5,7 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - initContainers: - - name: busyboxinit - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:v1.35 \ No newline at end of file diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 19f475312..000000000 --- a/best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-latest-tag -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml index 03ed91c15..873a0d251 100644 --- a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml +++ b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml @@ -8,9 +8,6 @@ spec: containers: - name: nginx image: nginx:1.12 - initContainers: - - name: nginxinit - image: nginx:1.12 --- apiVersion: v1 kind: Pod @@ -22,9 +19,6 @@ spec: containers: - name: nginx image: nginx - initContainers: - - name: nginxinit - image: nginx --- apiVersion: v1 kind: Pod @@ -38,11 +32,6 @@ spec: image: busybox:1.28 - name: nginx image: nginx - initContainers: - - name: busyboxinit - image: busybox:1.28 - - name: nginxinit - image: nginx --- apiVersion: v1 kind: Pod @@ -54,9 +43,6 @@ spec: containers: - name: nginx image: nginx:latest - initContainers: - - name: nginxinit - image: nginx:latest --- apiVersion: v1 kind: Pod @@ -70,11 +56,6 @@ spec: image: busybox:1.28 - name: nginx image: nginx:latest - initContainers: - - name: busyboxinit - image: busybox:1.28 - - name: nginxinit - image: nginx:latest --- apiVersion: apps/v1 kind: Deployment @@ -96,10 +77,6 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] - initContainers: - - image: busybox:1.28 - name: busyboxinit - command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -121,10 +98,6 @@ spec: - image: busybox name: busybox command: ["sleep", "9999"] - initContainers: - - image: busybox - name: busyboxinit - command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -146,7 +119,3 @@ spec: - image: busybox:latest name: busybox command: ["sleep", "9999"] - initContainers: - - image: busybox:latest - name: busyboxinit - command: ["sleep", "9999"] diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index 6cdd02e58..cfd7a6095 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -1,6 +1,6 @@ name: disallow-latest-tag version: 1.0.0 -displayName: Disallow Latest Tags +displayName: Disallow Latest Tag createdAt: "2023-04-10T19:47:15.000Z" description: >- The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 6c79240f39687bf4d743144db4a08082c3871b3e68f0944c3bdbeeaa937b54a4 +digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4 diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index 2f64e7a3c..c83cd565e 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -14,7 +14,7 @@ metadata: a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-image-tag @@ -25,16 +25,10 @@ spec: - Pod validate: message: "An image tag is required." - foreach: - - list: "request.object.spec.containers" - pattern: - image: "*:*" - - list: "request.object.spec.initContainers" - pattern: - image: "*:*" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "*:*" + pattern: + spec: + containers: + - image: "*:*" - name: validate-image-tag match: any: @@ -43,13 +37,7 @@ spec: - Pod validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." - foreach: - - list: "request.object.spec.containers" - pattern: - image: "!*:latest" - - list: "request.object.spec.initContainers" - pattern: - image: "!*:latest" - - list: "request.object.spec.ephemeralContainers" - pattern: - image: "!*:latest" + pattern: + spec: + containers: + - image: "!*:latest" \ No newline at end of file diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml index c3d2e36ef..8843ab227 100644 --- a/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/bad-pod-containers.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -20,14 +20,14 @@ spec: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -36,14 +36,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -51,9 +51,9 @@ spec: - ALL containers: - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml index e7fed78cb..e29726b9a 100644 --- a/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/bad-pod-corner.yaml @@ -5,19 +5,19 @@ metadata: spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + - name: add-capabilities + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - - CAP_NET_RAW + - ["CAP_NET_RAW"] --- apiVersion: v1 kind: Pod @@ -26,12 +26,12 @@ metadata: spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + - name: add-capabilities + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -41,14 +41,14 @@ spec: apiVersion: v1 kind: Pod metadata: - name: add-capabilities-bad + name: add-capabilities-good spec: containers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml index 7d7051fb8..c6a0e3ecb 100644 --- a/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/bad-pod-initcontainers.yaml @@ -5,17 +5,17 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -29,9 +29,9 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -39,7 +39,7 @@ spec: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml index 47a1e8a31..246e34915 100644 --- a/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/bad-podcontrollers.yaml @@ -14,14 +14,14 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -29,14 +29,14 @@ spec: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -54,24 +54,24 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -91,24 +91,24 @@ spec: restartPolicy: OnFailure initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -128,14 +128,14 @@ spec: restartPolicy: OnFailure initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -143,11 +143,11 @@ spec: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-drop-all/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/require-drop-all/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..4339ae7c7 --- /dev/null +++ b/best-practices/require-drop-all/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: drop-all-capabilities +status: + ready: true diff --git a/best-practices/require-drop-all/.chainsaw-test/chainsaw-test.yaml b/best-practices/require-drop-all/.chainsaw-test/chainsaw-test.yaml index 8324d8345..7889190ca 100755 --- a/best-practices/require-drop-all/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-drop-all.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: drop-all-capabilities - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-drop-all.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -46,3 +38,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: drop-all-capabilities diff --git a/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml index 1df2853c8..f7b1fd0e8 100644 --- a/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/good-pod.yaml @@ -5,21 +5,21 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml index 004c50473..b1e546b0d 100644 --- a/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-drop-all/.chainsaw-test/good-podcontrollers.yaml @@ -14,14 +14,14 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -29,14 +29,14 @@ spec: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -56,14 +56,14 @@ spec: restartPolicy: OnFailure initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -71,14 +71,14 @@ spec: - ALL containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - ALL - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml b/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index bfb8f0860..000000000 --- a/best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: drop-all-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require-drop-all/artifacthub-pkg.yml b/best-practices/require-drop-all/artifacthub-pkg.yml index 7bbf226f9..de0bdd417 100644 --- a/best-practices/require-drop-all/artifacthub-pkg.yml +++ b/best-practices/require-drop-all/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: e7010854d187b66c99779c08de8587f481ed82d7d72092a1eedc5f38bd85cdd6 +digest: 739a18805e557ddf99ff76b5cda7e60e15ff4598491a8100407408a526b80674 diff --git a/best-practices/require-drop-all/require-drop-all.yaml b/best-practices/require-drop-all/require-drop-all.yaml index 1a8750ee5..3482ea858 100644 --- a/best-practices/require-drop-all/require-drop-all.yaml +++ b/best-practices/require-drop-all/require-drop-all.yaml @@ -15,7 +15,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-drop-all diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml index bc5d08148..980550826 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-containers.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -20,14 +20,14 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -36,14 +36,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -51,9 +51,9 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml index 379fa07a8..0ea6ffb92 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-corner.yaml @@ -1,17 +1,17 @@ apiVersion: v1 kind: Pod metadata: - name: add-capabilities-bad-001 + name: add-capabilities-bad spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - CAP_NET_RAW - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + - name: add-capabilities + image: busybox:1.35 securityContext: capabilities: drop: @@ -20,16 +20,16 @@ spec: apiVersion: v1 kind: Pod metadata: - name: add-capabilities-bad-002 + name: add-capabilities-bad spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + - name: add-capabilities + image: busybox:1.35 securityContext: capabilities: drop: @@ -42,10 +42,10 @@ metadata: spec: containers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - CAP_NET_RAW - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml index ae20fb8e5..dba8a40bf 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-pod-initcontainers.yaml @@ -1,21 +1,21 @@ apiVersion: v1 kind: Pod metadata: - name: add-capabilities-bad-1 + name: add-capabilities-bad spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -25,13 +25,13 @@ spec: apiVersion: v1 kind: Pod metadata: - name: add-capabilities-bad-2 + name: add-capabilities-bad spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -39,7 +39,7 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml index f54e57fb4..35a918b7e 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/bad-podcontrollers.yaml @@ -14,14 +14,14 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -29,14 +29,14 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -54,24 +54,24 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -91,24 +91,24 @@ spec: restartPolicy: OnFailure initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -128,14 +128,14 @@ spec: restartPolicy: OnFailure initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -143,11 +143,11 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..03b0391c4 --- /dev/null +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: drop-cap-net-raw +status: + ready: true diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml index b205c83c2..2557406c9 100755 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-drop-cap-net-raw.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: drop-cap-net-raw - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-drop-cap-net-raw.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -46,3 +38,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: drop-cap-net-raw diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml index 45be727bd..effc2d403 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml @@ -5,20 +5,20 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml index e006f6734..8c0462d4f 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-podcontrollers.yaml @@ -14,14 +14,14 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -29,14 +29,14 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -56,14 +56,14 @@ spec: restartPolicy: OnFailure initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: init2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] @@ -71,14 +71,14 @@ spec: - CAP_NET_RAW containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] drop: - CAP_NET_RAW - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_TIME"] diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index ce4466741..000000000 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: drop-cap-net-raw -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml index 3057417f0..6c8c1695f 100644 --- a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml +++ b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784 +digest: d7463ea035958a2bcf718a8a8120eae3053fdce67cd09135b3859a6ba5230106 diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 68e92d525..0f1827211 100644 --- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -16,7 +16,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-drop-cap-net-raw diff --git a/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml b/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml index 868448919..b4c5a0097 100644 --- a/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml +++ b/best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml b/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml index 646280fd6..215d515a2 100644 --- a/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml +++ b/best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml @@ -7,4 +7,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml index 9795d2fe0..a34a7a944 100644 --- a/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-labels/.chainsaw-test/bad-podcontrollers.yaml @@ -10,11 +10,11 @@ spec: template: metadata: labels: - app: app + foo: bar spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -32,4 +32,4 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/require-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..fa7e963f6 --- /dev/null +++ b/best-practices/require-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + ready: true diff --git a/best-practices/require-labels/.chainsaw-test/chainsaw-test.yaml b/best-practices/require-labels/.chainsaw-test/chainsaw-test.yaml index 77d167c73..11ff1d3b0 100755 --- a/best-practices/require-labels/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/require-labels/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-labels.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-labels - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-labels.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -41,3 +33,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-labels diff --git a/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml index 0456d97fc..c341a2c38 100644 --- a/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-labels/.chainsaw-test/good-podcontrollers.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -35,4 +35,4 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-labels/.chainsaw-test/good-pods.yaml b/best-practices/require-labels/.chainsaw-test/good-pods.yaml index 5dd3b49be..0df55f783 100644 --- a/best-practices/require-labels/.chainsaw-test/good-pods.yaml +++ b/best-practices/require-labels/.chainsaw-test/good-pods.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -19,4 +19,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/best-practices/require-labels/.chainsaw-test/policy-ready.yaml b/best-practices/require-labels/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b0bd73c54..000000000 --- a/best-practices/require-labels/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-labels -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require-labels/artifacthub-pkg.yml b/best-practices/require-labels/artifacthub-pkg.yml index 5009eef6c..d6797dc30 100644 --- a/best-practices/require-labels/artifacthub-pkg.yml +++ b/best-practices/require-labels/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod, Label" -digest: f5dde85236dc3b3361c5ca9ee753dfc02b07e67e3e224cebf42f4b0f7a0b81d4 +digest: 79836f1230681e6c6738f1067bec25d5d3723058e9dda83d7d619283cba442c0 diff --git a/best-practices/require-labels/require-labels.yaml b/best-practices/require-labels/require-labels.yaml index 11b03c038..f5108615f 100644 --- a/best-practices/require-labels/require-labels.yaml +++ b/best-practices/require-labels/require-labels.yaml @@ -14,7 +14,7 @@ metadata: all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-for-labels diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml index fadcd22c9..14c25b95f 100644 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nolimit.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "256Mi" diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml index 3023d227a..ba5b0176b 100644 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nores.yaml @@ -7,9 +7,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "256Mi" @@ -26,7 +26,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "256Mi" @@ -34,4 +34,4 @@ spec: limits: memory: "256Mi" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml index 99f09b303..d77973a49 100644 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-pod-nothing.yaml @@ -8,4 +8,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:v1.35 \ No newline at end of file diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml index f440451d2..9ca37c8aa 100644 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/bad-podcontrollers.yaml @@ -14,9 +14,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox - name: busybox-again - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" @@ -37,9 +37,9 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox - name: busybox-again - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..b009150b5 --- /dev/null +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-requests-limits +status: + ready: true diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml index f274df775..fe68a44fe 100755 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-pod-requests-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-requests-limits - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-pod-requests-limits.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -46,3 +38,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-requests-limits diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml index 015b89d27..3afe5ff2d 100644 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/good-podcontrollers.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" @@ -22,7 +22,7 @@ spec: limits: memory: "100Mi" - name: busybox-again - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" @@ -43,7 +43,7 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" @@ -51,7 +51,7 @@ spec: limits: memory: "100Mi" - name: busybox-again - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml index e1e2b4aad..109162bdd 100644 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml +++ b/best-practices/require-pod-requests-limits/.chainsaw-test/good-pods.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" @@ -24,7 +24,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" @@ -32,7 +32,7 @@ spec: limits: memory: "100Mi" - name: busybox-again - image: ghcr.io/kyverno/test-busybox + image: busybox resources: requests: memory: "50Mi" diff --git a/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml b/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index f6710ff99..000000000 --- a/best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require-pod-requests-limits/artifacthub-pkg.yml b/best-practices/require-pod-requests-limits/artifacthub-pkg.yml index c09dc9d67..d5dec6926 100644 --- a/best-practices/require-pod-requests-limits/artifacthub-pkg.yml +++ b/best-practices/require-pod-requests-limits/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: bc2fa8b9aed1893274a8bc60abd34fdbe5fbc25d032b7be74214cc1496b77ce1 +digest: 6fba669ac94197333cb28249ab01deb6461cc6f909645b721fe66bef78d674ec diff --git a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml index b36c4b8de..652e46f85 100644 --- a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml +++ b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml @@ -16,7 +16,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-resources @@ -26,24 +26,10 @@ spec: kinds: - Pod validate: - message: "CPU and memory resource requests and memory limits are required for containers." + message: "CPU and memory resource requests and limits are required." pattern: spec: containers: - - resources: - requests: - memory: "?*" - cpu: "?*" - limits: - memory: "?*" - =(initContainers): - - resources: - requests: - memory: "?*" - cpu: "?*" - limits: - memory: "?*" - =(ephemeralContainers): - resources: requests: memory: "?*" diff --git a/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml b/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml index c09016963..469ce4446 100644 --- a/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml +++ b/best-practices/require-probes/.chainsaw-test/bad-pod-notall.yaml @@ -7,15 +7,15 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 readinessProbe: tcpSocket: port: 8080 periodSeconds: 10 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -26,9 +26,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 + - name: busybox + image: busybox:1.35 ports: - containerPort: 8080 readinessProbe: diff --git a/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml index 37bbc995c..d55f6705c 100644 --- a/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml +++ b/best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml @@ -7,4 +7,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-probes/.chainsaw-test/bad-pod-update.yaml b/best-practices/require-probes/.chainsaw-test/bad-pod-update.yaml new file mode 100644 index 000000000..3e46d32cc --- /dev/null +++ b/best-practices/require-probes/.chainsaw-test/bad-pod-update.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 + labels: + app: myapp +spec: + containers: + - name: evil-box + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml index 508a55026..cae8ec656 100644 --- a/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-probes/.chainsaw-test/bad-podcontrollers.yaml @@ -14,10 +14,10 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 livenessProbe: tcpSocket: port: 7070 periodSeconds: 20 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-probes/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/require-probes/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..a6dc7d083 --- /dev/null +++ b/best-practices/require-probes/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-pod-probes +status: + ready: true diff --git a/best-practices/require-probes/.chainsaw-test/chainsaw-test.yaml b/best-practices/require-probes/.chainsaw-test/chainsaw-test.yaml index 7a5fba016..c874e3caa 100755 --- a/best-practices/require-probes/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/require-probes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-probes.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-pod-probes - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-probes.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -41,4 +33,17 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml - + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-pod-update.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-pod-probes diff --git a/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml index 58ba591d2..04fca84f9 100644 --- a/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-probes/.chainsaw-test/good-podcontrollers.yaml @@ -14,13 +14,13 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 livenessProbe: tcpSocket: port: 7070 periodSeconds: 20 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 readinessProbe: tcpSocket: port: 8080 diff --git a/best-practices/require-probes/.chainsaw-test/good-pods.yaml b/best-practices/require-probes/.chainsaw-test/good-pods.yaml index 3dc949bce..c49a7839a 100644 --- a/best-practices/require-probes/.chainsaw-test/good-pods.yaml +++ b/best-practices/require-probes/.chainsaw-test/good-pods.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 livenessProbe: tcpSocket: port: 7070 @@ -22,13 +22,13 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 livenessProbe: tcpSocket: port: 7070 periodSeconds: 20 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 readinessProbe: tcpSocket: port: 8080 @@ -43,7 +43,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 startupProbe: grpc: port: 8888 \ No newline at end of file diff --git a/best-practices/require-probes/.chainsaw-test/policy-ready.yaml b/best-practices/require-probes/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index c93bde46e..000000000 --- a/best-practices/require-probes/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-pod-probes -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require-probes/artifacthub-pkg.yml b/best-practices/require-probes/artifacthub-pkg.yml index 7bb2982d4..c3b224d6d 100644 --- a/best-practices/require-probes/artifacthub-pkg.yml +++ b/best-practices/require-probes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: d05fc4fc2ae4a7827c91eff5b55076ee4d4f7cd92bb19fd5d6e579f55b4e2ea5 +digest: 8160370e07d5daa9a9ff342cc1c923015cadd3101e837f47af6fe2361e69993a diff --git a/best-practices/require-probes/require-probes.yaml b/best-practices/require-probes/require-probes.yaml index b79b64003..ac3036c25 100644 --- a/best-practices/require-probes/require-probes.yaml +++ b/best-practices/require-probes/require-probes.yaml @@ -17,7 +17,7 @@ metadata: This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-probes diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml index 0c76d4e3f..993ccd1f3 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-false.yaml @@ -5,6 +5,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: false \ No newline at end of file diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml index eef1dbb8e..f04c93285 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-notall.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 + - name: busybox + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true --- @@ -18,8 +18,8 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml index 8373d44b6..faff7f3d0 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml index 4f6b3cbcc..b2f168d04 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/bad-podcontrollers.yaml @@ -10,13 +10,13 @@ spec: template: metadata: labels: - app: app + foo: bar spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true --- @@ -33,8 +33,8 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true \ No newline at end of file diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..072aa7a74 --- /dev/null +++ b/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-ro-rootfs +status: + ready: true diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml index 2ffe3e63d..dd5aa7b4d 100755 --- a/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-ro-rootfs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-ro-rootfs - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-ro-rootfs.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -46,3 +38,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-ro-rootfs diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml index 9568d71ec..70a8355c4 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/good-podcontrollers.yaml @@ -14,11 +14,11 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true --- @@ -35,10 +35,10 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true \ No newline at end of file diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml index 2e472fd4c..7374c2e9d 100644 --- a/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml +++ b/best-practices/require-ro-rootfs/.chainsaw-test/good-pods.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true --- @@ -16,10 +16,10 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: readOnlyRootFilesystem: true diff --git a/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml b/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 0e1123025..000000000 --- a/best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ro-rootfs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require-ro-rootfs/artifacthub-pkg.yml b/best-practices/require-ro-rootfs/artifacthub-pkg.yml index 6281a4204..753894818 100644 --- a/best-practices/require-ro-rootfs/artifacthub-pkg.yml +++ b/best-practices/require-ro-rootfs/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: a255760512816ecfdf5f50ef3381990dc9bd9b604bbf360ef8fcdb3c68f0d9df +digest: 27b193124b332e64884209f20617f5b5d2c3fc41b9a33265e971ec807b14ae14 diff --git a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml index 099ee450f..4ababccd8 100644 --- a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml +++ b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml @@ -15,7 +15,7 @@ metadata: host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-readOnlyRootFilesystem diff --git a/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml b/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml index e7ffb49b4..8a09ffeaf 100644 --- a/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml +++ b/best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: k8s-nginx - image: ghcr.io/kyverno/test-nginx \ No newline at end of file + image: nginx \ No newline at end of file diff --git a/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml b/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml index fde75f33a..c85b49f08 100644 --- a/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml +++ b/best-practices/restrict-image-registries/.chainsaw-test/bad-podcontrollers.yaml @@ -10,16 +10,16 @@ spec: template: metadata: labels: - app: app + foo: bar spec: initContainers: - name: k8s-nginx-init image: bar.io/nginx - name: busybox-init - image: ghcr.io/kyverno/test-busybox + image: busybox containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: k8s-nginx image: bar.io/nginx --- @@ -35,7 +35,7 @@ spec: template: metadata: labels: - app: app + foo: bar spec: initContainers: - name: k8s-nginx-init @@ -46,7 +46,7 @@ spec: - name: k8s-nginx image: bar.io/nginx - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -60,13 +60,13 @@ spec: template: metadata: labels: - app: app + foo: bar spec: initContainers: - name: k8s-nginx-init image: bar.io/nginx - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: k8s-nginx image: bar.io/nginx @@ -88,10 +88,10 @@ spec: - name: k8s-nginx-init image: bar.io/nginx - name: busybox-init - image: ghcr.io/kyverno/test-busybox + image: busybox containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: k8s-nginx image: bar.io/nginx --- @@ -115,7 +115,7 @@ spec: - name: k8s-nginx image: bar.io/nginx - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -132,7 +132,7 @@ spec: - name: k8s-nginx-init image: bar.io/nginx - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: k8s-nginx image: bar.io/nginx diff --git a/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..579108a78 --- /dev/null +++ b/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +status: + ready: true diff --git a/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml b/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml index ca38e8f03..d1a02fbb4 100755 --- a/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/restrict-image-registries/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-image-registries.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-image-registries - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-image-registries.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -53,9 +45,40 @@ spec: -n ir-pods-namespace; then exit 1; else exit 0; fi; - name: step-98 try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n ir-pods-namespace - - script: - content: kubectl delete pods --all --force --grace-period=0 -n ir-pods-namespace - - script: - content: kubectl delete cronjobs --all --force --grace-period=0 -n ir-pods-namespace + - command: + args: + - delete + - deployments + - --all + - --force + - --grace-period=0 + - -n + - ir-pods-namespace + entrypoint: kubectl + - command: + args: + - delete + - pods + - --all + - --force + - --grace-period=0 + - -n + - ir-pods-namespace + entrypoint: kubectl + - command: + args: + - delete + - cronjobs + - --all + - --force + - --grace-period=0 + - -n + - ir-pods-namespace + entrypoint: kubectl + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-image-registries diff --git a/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml b/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5bb42adbe..000000000 --- a/best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-image-registries -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict-image-registries/artifacthub-pkg.yml b/best-practices/restrict-image-registries/artifacthub-pkg.yml index 6b91bf19b..d1b0117fe 100644 --- a/best-practices/restrict-image-registries/artifacthub-pkg.yml +++ b/best-practices/restrict-image-registries/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: 09f0bae36973d59c6f234bdddd0e66bf4dc83ea2cf3c72a69f925dee7c20e036 +digest: 59d0b33549e706cca0bf26d1da1e190cf8d9d7f93d310f3f8bd3d70475e53a59 diff --git a/best-practices/restrict-image-registries/restrict-image-registries.yaml b/best-practices/restrict-image-registries/restrict-image-registries.yaml index db32beb68..aaf442815 100644 --- a/best-practices/restrict-image-registries/restrict-image-registries.yaml +++ b/best-practices/restrict-image-registries/restrict-image-registries.yaml @@ -16,7 +16,7 @@ metadata: policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-registries diff --git a/best-practices/restrict-node-port/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/restrict-node-port/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..4dd4e0f7f --- /dev/null +++ b/best-practices/restrict-node-port/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-nodeport +status: + ready: true diff --git a/best-practices/restrict-node-port/.chainsaw-test/chainsaw-test.yaml b/best-practices/restrict-node-port/.chainsaw-test/chainsaw-test.yaml index fdc4b09c3..e40465b02 100755 --- a/best-practices/restrict-node-port/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/restrict-node-port/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-node-port.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-nodeport - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-node-port.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: bad-service-nodeport.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-nodeport diff --git a/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml b/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index d6c481fb7..000000000 --- a/best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-nodeport -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict-node-port/artifacthub-pkg.yml b/best-practices/restrict-node-port/artifacthub-pkg.yml index edf0d7536..4d8c3b06c 100644 --- a/best-practices/restrict-node-port/artifacthub-pkg.yml +++ b/best-practices/restrict-node-port/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Service" -digest: fb96c73e7ddc6d9001b01945c3d94f8e7a9ac30c03b64e10603bc31579f92e81 +digest: 4fdce61d73a7f5d09a4075fa6ea9e3ae6398bd61bff57e89cd8b40e0129a7375 diff --git a/best-practices/restrict-node-port/restrict-node-port.yaml b/best-practices/restrict-node-port/restrict-node-port.yaml index 7fad2977b..5c5cfdb21 100644 --- a/best-practices/restrict-node-port/restrict-node-port.yaml +++ b/best-practices/restrict-node-port/restrict-node-port.yaml @@ -15,7 +15,7 @@ metadata: with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-nodeport diff --git a/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..b6103cad3 --- /dev/null +++ b/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-external-ips +status: + ready: true diff --git a/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml b/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml index 3520df0b2..3d4970f92 100755 --- a/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml +++ b/best-practices/restrict-service-external-ips/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,18 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-service-external-ips.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-external-ips - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-service-external-ips.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: @@ -34,3 +26,10 @@ spec: - check: ($error != null): true file: bad-service-twoeip.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-external-ips diff --git a/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml b/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 164fecbff..000000000 --- a/best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict-service-external-ips/artifacthub-pkg.yml b/best-practices/restrict-service-external-ips/artifacthub-pkg.yml index 9868e9812..309794138 100644 --- a/best-practices/restrict-service-external-ips/artifacthub-pkg.yml +++ b/best-practices/restrict-service-external-ips/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Service" -digest: 8d219b29ab7540eea32218db186c550c975eda307bf4cebd48246c07ffaef79f +digest: 0c57e3d085fa8dff2afba042c8e7f9055b76b92eab31d37b1cc299ee83201d14 diff --git a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml index 78fd6bd89..4d5fdaa95 100644 --- a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml +++ b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml @@ -14,7 +14,7 @@ metadata: See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-ips diff --git a/castai/add-castai-removal-disabled/.chainsaw-test/chainsaw-test.yaml b/castai/add-castai-removal-disabled/.chainsaw-test/chainsaw-test.yaml index 0fe6716ff..e8e7cb56e 100755 --- a/castai/add-castai-removal-disabled/.chainsaw-test/chainsaw-test.yaml +++ b/castai/add-castai-removal-disabled/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml b/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml index a80dac8d0..d28d8cede 100644 --- a/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml +++ b/castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-castai-removal-disabled status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index fcf8c1a7b..000000000 --- a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: cert-manager-limit-dnsnames -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-test.yaml b/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index ef590805c..000000000 --- a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: limit-dnsnames -spec: - steps: - - name: step-01 - try: - - apply: - file: ../limit-dnsnames.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: cert-manager-limit-dnsnames - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: cert-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cert-bad.yaml diff --git a/cert-manager/limit-dnsnames/artifacthub-pkg.yml b/cert-manager/limit-dnsnames/artifacthub-pkg.yml index a3cee17ae..706d001af 100644 --- a/cert-manager/limit-dnsnames/artifacthub-pkg.yml +++ b/cert-manager/limit-dnsnames/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Cert-Manager" kyverno/subject: "Certificate" -digest: ec8a0e1f53ebceb71584f40cab8d3812bb744d2020594178eb6c5afcd4756df4 +digest: 495d98b2a3568a1123822832d34200d6c0bcec3c99572ef744135d965da905c1 diff --git a/cert-manager/limit-dnsnames/.chainsaw-test/cert-bad.yaml b/cert-manager/limit-dnsnames/cert-bad.yaml similarity index 100% rename from cert-manager/limit-dnsnames/.chainsaw-test/cert-bad.yaml rename to cert-manager/limit-dnsnames/cert-bad.yaml diff --git a/cert-manager/limit-dnsnames/.chainsaw-test/cert-good.yaml b/cert-manager/limit-dnsnames/cert-good.yaml similarity index 100% rename from cert-manager/limit-dnsnames/.chainsaw-test/cert-good.yaml rename to cert-manager/limit-dnsnames/cert-good.yaml diff --git a/cert-manager/limit-dnsnames/chainsaw-step-01-assert-1.yaml b/cert-manager/limit-dnsnames/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..e274fbacf --- /dev/null +++ b/cert-manager/limit-dnsnames/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cert-manager-limit-dnsnames +status: + ready: true diff --git a/cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/cert-manager/limit-dnsnames/chainsaw-step-01-assert-2.yaml old mode 100644 new mode 100755 similarity index 100% rename from cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to cert-manager/limit-dnsnames/chainsaw-step-01-assert-2.yaml diff --git a/cert-manager/limit-dnsnames/chainsaw-test.yaml b/cert-manager/limit-dnsnames/chainsaw-test.yaml new file mode 100755 index 000000000..60dbbc40d --- /dev/null +++ b/cert-manager/limit-dnsnames/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: limit-dnsnames +spec: + steps: + - name: step-01 + try: + - script: + content: | + set -e + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' limit-dnsnames.yaml \ + | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: cert-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: cert-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cert-manager-limit-dnsnames diff --git a/cert-manager/limit-dnsnames/limit-dnsnames.yaml b/cert-manager/limit-dnsnames/limit-dnsnames.yaml index 40c50708b..93f62430e 100644 --- a/cert-manager/limit-dnsnames/limit-dnsnames.yaml +++ b/cert-manager/limit-dnsnames/limit-dnsnames.yaml @@ -13,7 +13,7 @@ metadata: This policy ensures that each certificate request contains only one DNS name entry. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: limit-dnsnames diff --git a/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index dd325c6ac..000000000 --- a/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: cert-manager-limit-duration -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/cert-manager/limit-duration/.chainsaw-test/chainsaw-test.yaml b/cert-manager/limit-duration/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 3889c4ef1..000000000 --- a/cert-manager/limit-duration/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: limit-duration -spec: - steps: - - name: step-01 - try: - - apply: - file: ../limit-duration.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: cert-manager-limit-duration - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: cert-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cert-bad.yaml diff --git a/cert-manager/limit-duration/artifacthub-pkg.yml b/cert-manager/limit-duration/artifacthub-pkg.yml index d08004ded..17df82d4e 100644 --- a/cert-manager/limit-duration/artifacthub-pkg.yml +++ b/cert-manager/limit-duration/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Cert-Manager" kyverno/subject: "Certificate" -digest: b3f3f27337f433e5dcc9e857fd10d66a41e8fa96b16f95559c22437b24d91262 +digest: b205b4f94a9d5b68f571d8c6daa734d257af73a1ec958c283053d5831280cfd6 diff --git a/cert-manager/limit-duration/.chainsaw-test/cert-bad.yaml b/cert-manager/limit-duration/cert-bad.yaml similarity index 100% rename from cert-manager/limit-duration/.chainsaw-test/cert-bad.yaml rename to cert-manager/limit-duration/cert-bad.yaml diff --git a/cert-manager/limit-duration/.chainsaw-test/cert-good.yaml b/cert-manager/limit-duration/cert-good.yaml similarity index 100% rename from cert-manager/limit-duration/.chainsaw-test/cert-good.yaml rename to cert-manager/limit-duration/cert-good.yaml diff --git a/cert-manager/limit-duration/chainsaw-step-01-assert-1.yaml b/cert-manager/limit-duration/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..96c5357e0 --- /dev/null +++ b/cert-manager/limit-duration/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cert-manager-limit-duration +status: + ready: true diff --git a/cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/cert-manager/limit-duration/chainsaw-step-01-assert-2.yaml similarity index 100% rename from cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to cert-manager/limit-duration/chainsaw-step-01-assert-2.yaml diff --git a/cert-manager/limit-duration/chainsaw-test.yaml b/cert-manager/limit-duration/chainsaw-test.yaml new file mode 100755 index 000000000..d1b9cb479 --- /dev/null +++ b/cert-manager/limit-duration/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: limit-duration +spec: + steps: + - name: step-01 + try: + - script: + content: "sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' + limit-duration.yaml | kubectl create -f - \n" + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: cert-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: cert-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cert-manager-limit-duration diff --git a/cert-manager/limit-duration/limit-duration.yaml b/cert-manager/limit-duration/limit-duration.yaml index c7fadc905..48c47bebc 100644 --- a/cert-manager/limit-duration/limit-duration.yaml +++ b/cert-manager/limit-duration/limit-duration.yaml @@ -11,7 +11,7 @@ metadata: policies.kyverno.io/description: >- Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: certificate-duration-max-100days diff --git a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index d63370368..000000000 --- a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: cert-manager-restrict-issuer -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-test.yaml b/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 45343b86a..000000000 --- a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-issuer -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-issuer.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: cert-manager-restrict-issuer - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: cert-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cert-bad.yaml diff --git a/cert-manager/restrict-issuer/artifacthub-pkg.yml b/cert-manager/restrict-issuer/artifacthub-pkg.yml index f59691e1f..1757d8c76 100644 --- a/cert-manager/restrict-issuer/artifacthub-pkg.yml +++ b/cert-manager/restrict-issuer/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Cert-Manager" kyverno/subject: "Certificate" -digest: 9c8afac5d46856c8a40fd438f7bf00b4cf4ef11503f8536cf284613089dccd57 +digest: 2a7b90409b62e51572452487e28b762e6f52c67965a429b5f9981a98906be760 diff --git a/cert-manager/restrict-issuer/.chainsaw-test/cert-bad.yaml b/cert-manager/restrict-issuer/cert-bad.yaml similarity index 100% rename from cert-manager/restrict-issuer/.chainsaw-test/cert-bad.yaml rename to cert-manager/restrict-issuer/cert-bad.yaml diff --git a/cert-manager/restrict-issuer/.chainsaw-test/cert-good.yaml b/cert-manager/restrict-issuer/cert-good.yaml similarity index 100% rename from cert-manager/restrict-issuer/.chainsaw-test/cert-good.yaml rename to cert-manager/restrict-issuer/cert-good.yaml diff --git a/cert-manager/restrict-issuer/chainsaw-step-01-assert-1.yaml b/cert-manager/restrict-issuer/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..954ef628c --- /dev/null +++ b/cert-manager/restrict-issuer/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cert-manager-restrict-issuer +status: + ready: true diff --git a/cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/cert-manager/restrict-issuer/chainsaw-step-01-assert-2.yaml similarity index 100% rename from cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to cert-manager/restrict-issuer/chainsaw-step-01-assert-2.yaml diff --git a/cert-manager/restrict-issuer/chainsaw-test.yaml b/cert-manager/restrict-issuer/chainsaw-test.yaml new file mode 100755 index 000000000..04e819b54 --- /dev/null +++ b/cert-manager/restrict-issuer/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-issuer +spec: + steps: + - name: step-01 + try: + - script: + content: "sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' + restrict-issuer.yaml | kubectl create -f - \n" + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: cert-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: cert-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cert-manager-restrict-issuer diff --git a/cert-manager/restrict-issuer/restrict-issuer.yaml b/cert-manager/restrict-issuer/restrict-issuer.yaml index 877737107..8e731a9c6 100644 --- a/cert-manager/restrict-issuer/restrict-issuer.yaml +++ b/cert-manager/restrict-issuer/restrict-issuer.yaml @@ -13,7 +13,7 @@ metadata: able to create their own issuers and sign certificates for other domains. This policy ensures that a certificate request for a specific domain uses a designated ClusterIssuer. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: restrict-corp-cert-issuer diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml deleted file mode 100644 index f0fe23d34..000000000 --- a/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kyverno.io/v2beta1 -kind: ClusterCleanupPolicy -metadata: - name: clean-bare-pods diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index d9cf0944a..000000000 --- a/cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: cleanup-bare-pods -spec: - steps: - - name: apply cluster role - try: - - apply: - file: cluster-role.yaml - - name: create a bare pod - try: - - apply: - file: pod.yaml - - assert: - file: pod.yaml - - name: apply cleanup policy - try: - - apply: - file: ../cleanup-bare-pods.yaml - - patch: - resource: - apiVersion: kyverno.io/v2beta1 - kind: ClusterCleanupPolicy - metadata: - name: clean-bare-pods - spec: - schedule: "*/1 * * * *" - - assert: - file: chainsaw-step-02-assert-1.yaml - - name: wait for scheduled deletion - try: - - sleep: - duration: 1m30s - - name: check for bare pod - try: - - error: - file: pod.yaml \ No newline at end of file diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml deleted file mode 100644 index 6e5bdaf66..000000000 --- a/cleanup/cleanup-bare-pods/.chainsaw-test/cluster-role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - name: kyverno:cleanup-controller:barepods -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - watch - - list - - delete - diff --git a/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml b/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml deleted file mode 100644 index fc66231b2..000000000 --- a/cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bare-pod -spec: - containers: - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.14.1 diff --git a/cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-assert-1.yaml b/cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-assert-1.yaml deleted file mode 100644 index edddc5def..000000000 --- a/cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-assert-1.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: apps/v1 -kind: ReplicaSet -metadata: - name: example-797bfc7b6f - namespace: default diff --git a/cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-test.yaml b/cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index fd3ff2fdb..000000000 --- a/cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: cleanup-pod -spec: - steps: - - name: step-01 - try: - - apply: - file: ../cluster-role.yaml - - name: step-02 - try: - - apply: - file: rs.yaml - - assert: - file: chainsaw-assert-1.yaml - - name: step-03 - try: - - apply: - file: ../cleanup-empty-replicasets.yaml - - assert: - file: ../cleanup-empty-replicasets.yaml - - name: step-04 - try: - - sleep: - duration: 1m5s - - name: step-05 - try: - - error: - file: chainsaw-assert-1.yaml diff --git a/cleanup/cleanup-empty-replicasets/.chainsaw-test/rs.yaml b/cleanup/cleanup-empty-replicasets/.chainsaw-test/rs.yaml deleted file mode 100644 index ed79584c8..000000000 --- a/cleanup/cleanup-empty-replicasets/.chainsaw-test/rs.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: ReplicaSet -metadata: - labels: - app: example - pod-template-hash: 797bfc7b6f - name: example-797bfc7b6f - namespace: default -spec: - replicas: 0 - selector: - matchLabels: - app: example - pod-template-hash: 797bfc7b6f - template: - metadata: - labels: - app: example - pod-template-hash: 797bfc7b6f - spec: - containers: - - image: httpd - imagePullPolicy: Always - name: httpd diff --git a/cleanup/cleanup-empty-replicasets/artifacthub-pkg.yml b/cleanup/cleanup-empty-replicasets/artifacthub-pkg.yml index 2df42de95..0ba7a6033 100644 --- a/cleanup/cleanup-empty-replicasets/artifacthub-pkg.yml +++ b/cleanup/cleanup-empty-replicasets/artifacthub-pkg.yml @@ -1,9 +1,9 @@ name: cleanup-empty-replicasets -version: 1.0.1 +version: 1.0.0 displayName: Cleanup Empty ReplicaSets createdAt: "2023-12-12T17:57:28.000Z" description: >- - ReplicaSets serve as an intermediate controller for various Pod controllers like Deployments. When a new version of a Deployment is initiated, it generates a new ReplicaSet with the specified number of replicas and scales down the current one to zero. Consequently, numerous empty ReplicaSets may accumulate in the cluster, leading to clutter and potential false positives in policy reports if enabled. This cleanup policy is designed to remove empty ReplicaSets across the cluster within a specified timeframe, for instance, ReplicaSets created one day ago, ensuring the ability to rollback to previous ReplicaSets in case of deployment issues + ReplicaSets are an intermediary controller to several Pod controllers such as Deployments. When a new version of a Deployment is created, it spawns a new ReplicaSet with the desired number of replicas and scale the current one to zero. This can have the effect of leaving many empty ReplicaSets in the cluster which can create clutter and false positives if policy reports are enabled. This cleanup policy removes all empty ReplicaSets across the cluster. Note that removing empty ReplicaSets may prevent rollbacks. install: |- ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml @@ -13,11 +13,11 @@ keywords: - cleanup - replicaset readme: | - ReplicaSets serve as an intermediate controller for various Pod controllers like Deployments. When a new version of a Deployment is initiated, it generates a new ReplicaSet with the specified number of replicas and scales down the current one to zero. Consequently, numerous empty ReplicaSets may accumulate in the cluster, leading to clutter and potential false positives in policy reports if enabled. This cleanup policy is designed to remove empty ReplicaSets across the cluster within a specified timeframe, for instance, ReplicaSets created one day ago, ensuring the ability to rollback to previous ReplicaSets in case of deployment issues + ReplicaSets are an intermediary controller to several Pod controllers such as Deployments. When a new version of a Deployment is created, it spawns a new ReplicaSet with the desired number of replicas and scale the current one to zero. This can have the effect of leaving many empty ReplicaSets in the cluster which can create clutter and false positives if policy reports are enabled. This cleanup policy removes all empty ReplicaSets across the cluster. Note that removing empty ReplicaSets may prevent rollbacks. + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.27" kyverno/subject: "ReplicaSet" -digest: 2d0c71608ae0d13c4299f8f7e2186e3e487696d28df277244c766b81ad183497 - +digest: 89cc4300938ad7e5c5ad0d649307539f525c35a8107e8661266b144ba1f77c5c diff --git a/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml b/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml index c8754ec56..01a4af344 100644 --- a/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml +++ b/cleanup/cleanup-empty-replicasets/cleanup-empty-replicasets.yaml @@ -1,4 +1,3 @@ -#The described logic currently deletes the ReplicaSets created 30 seconds ago. You can adjust this timeframe according to your specific requirements. apiVersion: kyverno.io/v2beta1 kind: ClusterCleanupPolicy metadata: @@ -12,24 +11,21 @@ metadata: policies.kyverno.io/minversion: 1.9.0 kyverno.io/kubernetes-version: "1.27" policies.kyverno.io/description: >- - ReplicaSets serve as an intermediate controller for various Pod controllers like Deployments. When a new version of a Deployment is initiated, it generates a new ReplicaSet with the specified number of replicas and scales down the current one to zero. Consequently, numerous empty ReplicaSets may accumulate in the cluster, leading to clutter and potential false positives in policy reports if enabled. This cleanup policy is designed to remove empty ReplicaSets across the cluster within a specified timeframe, for instance, ReplicaSets created one day ago, ensuring the ability to rollback to previous ReplicaSets in case of deployment issues + ReplicaSets are an intermediary controller to several Pod controllers such as Deployments. + When a new version of a Deployment is created, it spawns a new ReplicaSet with the desired + number of replicas and scale the current one to zero. This can have the effect of leaving + many empty ReplicaSets in the cluster which can create clutter and false positives if policy + reports are enabled. This cleanup policy removes all empty ReplicaSets across the cluster. + Note that removing empty ReplicaSets may prevent rollbacks. spec: match: any: - resources: kinds: - ReplicaSet - exclude: - any: - - resources: - namespaces: - - kube-system conditions: all: - key: "{{ target.spec.replicas }}" operator: Equals value: 0 - - key: "{{ time_diff('{{target.metadata.creationTimestamp}}','{{ time_now_utc() }}') }}" - operator: GreaterThan - value: "0h0m30s" - schedule: "*/1 * * * *" + schedule: "*/5 * * * *" diff --git a/cleanup/cleanup-empty-replicasets/cluster-role.yaml b/cleanup/cleanup-empty-replicasets/cluster-role.yaml deleted file mode 100644 index 719990d30..000000000 --- a/cleanup/cleanup-empty-replicasets/cluster-role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - name: kyverno:cleanup-controller:temp -rules: -- apiGroups: - - "apps" - resources: - - replicasets - verbs: - - get - - watch - - list - - delete diff --git a/consul-cel/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml b/consul-cel/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2385bfce2..000000000 --- a/consul-cel/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-min-tls-version -spec: - steps: - - name: step-00 - try: - - assert: - file: crd-assert.yaml - - name: step-01 - try: - - apply: - file: ../enforce-min-tls-version.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: mesh-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: mesh-bad.yaml diff --git a/consul-cel/enforce-min-tls-version/.chainsaw-test/crd-assert.yaml b/consul-cel/enforce-min-tls-version/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 49fddfad6..000000000 --- a/consul-cel/enforce-min-tls-version/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: meshes.consul.hashicorp.com -spec: {} -status: - acceptedNames: - kind: Mesh - listKind: MeshList - plural: meshes - singular: mesh - storedVersions: - - v1alpha1 diff --git a/consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-bad.yaml b/consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-bad.yaml deleted file mode 100644 index 510ff09c6..000000000 --- a/consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-bad.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: consul.hashicorp.com/v1alpha1 -kind: Mesh -metadata: - name: badmesh01 -spec: - tls: - incoming: - tlsMinVersion: TLSv1_1 \ No newline at end of file diff --git a/consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-good.yaml b/consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-good.yaml deleted file mode 100644 index a21ce7ecb..000000000 --- a/consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-good.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: consul.hashicorp.com/v1alpha1 -kind: Mesh -metadata: - name: goodmesh01 -spec: - tls: - incoming: - tlsMinVersion: TLSv1_2 \ No newline at end of file diff --git a/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml b/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 96fdaebc2..000000000 --- a/consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-min-tls-version -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/consul-cel/enforce-min-tls-version/.kyverno-test/kyverno-test.yaml b/consul-cel/enforce-min-tls-version/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 999cb075d..000000000 --- a/consul-cel/enforce-min-tls-version/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-min-tls-version -policies: -- ../enforce-min-tls-version.yaml -resources: -- resource.yaml -results: -- kind: Mesh - policy: enforce-min-tls-version - resources: - - badmesh - result: fail - rule: check-for-tls-version -- kind: Mesh - policy: enforce-min-tls-version - resources: - - goodmesh - result: pass - rule: check-for-tls-version diff --git a/consul-cel/enforce-min-tls-version/.kyverno-test/resource.yaml b/consul-cel/enforce-min-tls-version/.kyverno-test/resource.yaml deleted file mode 100644 index a6bf83b5f..000000000 --- a/consul-cel/enforce-min-tls-version/.kyverno-test/resource.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: consul.hashicorp.com/v1alpha1 -kind: Mesh -metadata: - name: badmesh -spec: - tls: - incoming: - tlsMinVersion: TLSv1_1 ---- -apiVersion: consul.hashicorp.com/v1alpha1 -kind: Mesh -metadata: - name: goodmesh -spec: - tls: - incoming: - tlsMinVersion: TLSv1_2 \ No newline at end of file diff --git a/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml b/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml deleted file mode 100644 index a92a75302..000000000 --- a/consul-cel/enforce-min-tls-version/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: enforce-min-tls-version-cel -version: 1.0.0 -displayName: Enforce Consul min TLS version in CEL expressions -description: >- - This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml - ``` -keywords: - - kyverno - - Consul - - CEL Expressions -readme: | - This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Consul in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Mesh" -digest: ef025b5a358ed684ffe008b5a251e743289f5e2f28e72e49df10c895b1539260 -createdAt: "2024-05-02T17:47:54Z" - diff --git a/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml b/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml deleted file mode 100644 index 97fe0c258..000000000 --- a/consul-cel/enforce-min-tls-version/enforce-min-tls-version.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-min-tls-version - annotations: - policies.kyverno.io/title: Enforce Consul min TLS version in CEL expressions - policies.kyverno.io/category: Consul in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Mesh - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-for-tls-version - match: - any: - - resources: - kinds: - - Mesh - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.?spec.?tls.?incoming.?tlsMinVersion.orValue('') == 'TLSv1_2' - message: The minimum version of TLS is TLS v1_2 - diff --git a/consul/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml b/consul/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml index 91636cfb4..6355a4f9a 100755 --- a/consul/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml +++ b/consul/enforce-min-tls-version/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml b/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml index 96fdaebc2..be7a47e8e 100644 --- a/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml +++ b/consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: enforce-min-tls-version status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/consul/enforce-min-tls-version/artifacthub-pkg.yml b/consul/enforce-min-tls-version/artifacthub-pkg.yml index 1c4e03a56..4469e84a3 100644 --- a/consul/enforce-min-tls-version/artifacthub-pkg.yml +++ b/consul/enforce-min-tls-version/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Consul" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Mesh" -digest: ca396c060240139dd41b54743adfd655c5631d8a2e3d12f6043057828d92fab0 +digest: 26212a00629d858ebf10f2f73e8c7a0f2aafb8c21f95977d6b1688cafafac83a diff --git a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml index 33028e27f..c77bec745 100644 --- a/consul/enforce-min-tls-version/enforce-min-tls-version.yaml +++ b/consul/enforce-min-tls-version/enforce-min-tls-version.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- This policy will check the TLS Min version to ensure that whenever the mesh is set, there is a minimum version of TLS set for all the service mesh proxies and this enforces that service mesh mTLS traffic uses TLS v1.2 or newer. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-for-tls-version diff --git a/external-secret-operator/add-external-secret-prefix/.chainsaw-test/chainsaw-test.yaml b/external-secret-operator/add-external-secret-prefix/.chainsaw-test/chainsaw-test.yaml index 144f46248..d5db10348 100755 --- a/external-secret-operator/add-external-secret-prefix/.chainsaw-test/chainsaw-test.yaml +++ b/external-secret-operator/add-external-secret-prefix/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/bucket-crd-assert.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/bucket-crd-assert.yaml deleted file mode 100755 index 688485ded..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/bucket-crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: buckets.source.toolkit.fluxcd.io -spec: {} -status: - acceptedNames: - kind: Bucket - listKind: BucketList - plural: buckets - singular: bucket - storedVersions: - - v1beta2 diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 1d0b7c63e..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,64 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: verify-flux-sources -spec: - steps: - - name: step-01 - try: - - apply: - file: ../verify-flux-sources.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: verify-flux-sources - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: bucket-crd-assert.yaml - - assert: - file: git-repository-crd-assert.yaml - - assert: - file: image-repository-crd-assert.yaml - - assert: - file: helm-repository-crd-assert.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - name: step-03 - try: - - apply: - expect: - - check: - ($error != null): true - file: repo-bad-git.yaml - - apply: - expect: - - check: - ($error != null): true - file: repo-bad-bucket.yaml - - apply: - expect: - - check: - ($error != null): true - file: repo-bad-helm.yaml - - apply: - expect: - - check: - ($error != null): true - file: repo-bad-image.yaml - - apply: - file: repo-good-git.yaml - - apply: - file: repo-good-bucket.yaml - - apply: - file: repo-good-helm.yaml - - apply: - file: repo-good-image.yaml diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/git-repository-crd-assert.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/git-repository-crd-assert.yaml deleted file mode 100755 index 79db50af3..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/git-repository-crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: gitrepositories.source.toolkit.fluxcd.io -spec: {} -status: - acceptedNames: - kind: GitRepository - listKind: GitRepositoryList - plural: gitrepositories - singular: gitrepository - storedVersions: - - v1 diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/helm-repository-crd-assert.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/helm-repository-crd-assert.yaml deleted file mode 100755 index 22d1c289c..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/helm-repository-crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: helmrepositories.source.toolkit.fluxcd.io -spec: {} -status: - acceptedNames: - kind: HelmRepository - listKind: HelmRepositoryList - plural: helmrepositories - singular: helmrepository - storedVersions: - - v1beta2 diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/image-repository-crd-assert.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/image-repository-crd-assert.yaml deleted file mode 100755 index 51fc5cd50..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/image-repository-crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: imagerepositories.image.toolkit.fluxcd.io -spec: {} -status: - acceptedNames: - kind: ImageRepository - listKind: ImageRepositoryList - plural: imagerepositories - singular: imagerepository - storedVersions: - - v1beta2 diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/ns.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/ns.yaml deleted file mode 100755 index c00a4321e..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: flux-system diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 262f00af3..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-flux-sources -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-bucket.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-bucket.yaml deleted file mode 100644 index 0fb02ca4a..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-bucket.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: Bucket -metadata: - name: bucket-bad -spec: - interval: 5m0s - endpoint: minio.notmyorg.com - bucketName: example \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml deleted file mode 100644 index 62998778b..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/notmyorg/podinfo \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml deleted file mode 100644 index 11a996a11..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: bad-helmrepo-01 -spec: - interval: 5m0s - url: https://helmrepo.github.io/podinfo \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-image.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-image.yaml deleted file mode 100644 index 2be404b43..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-image.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: image.toolkit.fluxcd.io/v1beta2 -kind: ImageRepository -metadata: - name: imagerepo-bad -spec: - image: nothing.io/notmyorg/ - interval: 1h - provider: generic \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml deleted file mode 100644 index 0669a4190..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: Bucket -metadata: - name: good-bucket-01 -spec: - interval: 5m0s - endpoint: minio.myorg.com - bucketName: example ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: Bucket -metadata: - name: good-bucket-02 - namespace: flux-system -spec: - interval: 5m0s - endpoint: minio.notmyorg.com - bucketName: example \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-git.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-git.yaml deleted file mode 100644 index e98df9e9c..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-git.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/myorg/podinfo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:myorg/podinfo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-03 - namespace: flux-system -spec: - interval: 5m0s - url: https://github.com/notmyorg/podinfo \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml deleted file mode 100644 index 17b32fd4c..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: good-helmrepo-01 -spec: - interval: 5m0s - url: https://helmrepo.myorg.com/podinfo ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: good-helmrepo-02 - namespace: flux-system -spec: - interval: 5m0s - url: https://notmyorg.github.io/podinfo \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-image.yaml b/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-image.yaml deleted file mode 100644 index beebfd1aa..000000000 --- a/flux-cel/verify-flux-sources/.chainsaw-test/repo-good-image.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: image.toolkit.fluxcd.io/v1beta2 -kind: ImageRepository -metadata: - name: good-imagerepo-01 -spec: - image: ghcr.io/myorg/ - interval: 1h - provider: generic ---- -apiVersion: image.toolkit.fluxcd.io/v1beta2 -kind: ImageRepository -metadata: - name: good-imagerepo-02 - namespace: flux-system -spec: - image: nothing.io/notmyorg/ - interval: 1h - provider: generic \ No newline at end of file diff --git a/flux-cel/verify-flux-sources/.kyverno-test/kyverno-test.yaml b/flux-cel/verify-flux-sources/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e455f191c..000000000 --- a/flux-cel/verify-flux-sources/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-flux-sources -policies: -- ../verify-flux-sources.yaml -resources: -- ../.chainsaw-test/repo-bad-bucket.yaml -- ../.chainsaw-test/repo-bad-git.yaml -- ../.chainsaw-test/repo-bad-helm.yaml -- ../.chainsaw-test/repo-bad-image.yaml -- ../.chainsaw-test/repo-good-bucket.yaml -- ../.chainsaw-test/repo-good-git.yaml -- ../.chainsaw-test/repo-good-helm.yaml -- ../.chainsaw-test/repo-good-image.yaml -results: -- policy: verify-flux-sources - rule: flux-github-repositories - kind: GitRepository - resources: - - bad-gitrepo-01 - result: fail -- policy: verify-flux-sources - rule: flux-github-repositories - kind: GitRepository - resources: - - good-gitrepo-01 - - good-gitrepo-02 - result: pass -- policy: verify-flux-sources - rule: flux-buckets - kind: Bucket - resources: - - bucket-bad - result: fail -- policy: verify-flux-sources - rule: flux-buckets - kind: Bucket - resources: - - good-bucket-01 - result: pass -- policy: verify-flux-sources - rule: flux-helm-repositories - kind: HelmRepository - resources: - - bad-helmrepo-01 - result: fail -- policy: verify-flux-sources - rule: flux-helm-repositories - kind: HelmRepository - resources: - - good-helmrepo-01 - result: pass -- policy: verify-flux-sources - rule: flux-image-repositories - kind: ImageRepository - resources: - - imagerepo-bad - result: fail -- policy: verify-flux-sources - rule: flux-image-repositories - kind: ImageRepository - resources: - - good-imagerepo-01 - result: pass - diff --git a/flux-cel/verify-flux-sources/artifacthub-pkg.yml b/flux-cel/verify-flux-sources/artifacthub-pkg.yml deleted file mode 100644 index 901eff1ec..000000000 --- a/flux-cel/verify-flux-sources/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: verify-flux-sources-cel -version: 1.0.0 -displayName: Verify Flux Sources in CEL expressions -description: >- - Flux source APIs include a number of different sources such as GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these by default can be pointed to any location. In a production environment, it may be desired to restrict these to only known sources to prevent accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/flux-cel/verify-flux-sources/verify-flux-sources.yaml - ``` -keywords: - - kyverno - - Flux - - CEL Expressions -readme: | - Flux source APIs include a number of different sources such as GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these by default can be pointed to any location. In a production environment, it may be desired to restrict these to only known sources to prevent accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Flux in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "GitRepository, Bucket, HelmRepository, ImageRepository" -digest: 0199445c867ee1e79d766a18fcd11b14b5107e7c2c541645f6ceea8df4e34dac -createdAt: "2024-05-11T15:02:04Z" - diff --git a/flux-cel/verify-flux-sources/verify-flux-sources.yaml b/flux-cel/verify-flux-sources/verify-flux-sources.yaml deleted file mode 100644 index 5344211b6..000000000 --- a/flux-cel/verify-flux-sources/verify-flux-sources.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-flux-sources - annotations: - policies.kyverno.io/title: Verify Flux Sources in CEL expressions - policies.kyverno.io/category: Flux in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: GitRepository, Bucket, HelmRepository, ImageRepository - policies.kyverno.io/description: >- - Flux source APIs include a number of different sources such as - GitRepository, Bucket, HelmRepository, and ImageRepository resources. Each of these - by default can be pointed to any location. In a production environment, - it may be desired to restrict these to only known sources to prevent - accessing outside sources. This policy verifies that each of the Flux - sources comes from a trusted location. -spec: - validationFailureAction: Audit - rules: - - name: flux-github-repositories - match: - any: - - resources: - kinds: - - GitRepository - operations: - - CREATE - - UPDATE - exclude: - any: - - resources: - namespaces: - - flux-system - validate: - cel: - expressions: - - expression: "object.spec.url.startsWith('https://github.com/myorg/') || object.spec.url.startsWith('ssh://git@github.com:myorg/')" - message: ".spec.url must be from a repository within the myorg organization." - - name: flux-buckets - match: - any: - - resources: - kinds: - - Bucket - operations: - - CREATE - - UPDATE - exclude: - any: - - resources: - namespaces: - - flux-system - validate: - cel: - expressions: - - expression: "object.spec.?endpoint.orValue('').endsWith('.myorg.com')" - message: ".spec.endpoint must reference an address within the myorg organization." - - name: flux-helm-repositories - match: - any: - - resources: - kinds: - - HelmRepository - operations: - - CREATE - - UPDATE - exclude: - any: - - resources: - namespaces: - - flux-system - validate: - cel: - expressions: - - expression: "object.spec.url.matches('^https://[a-zA-Z0-9-]+[.]myorg[.]com/.*$')" - message: ".spec.url must be from a repository within the myorg organization." - - name: flux-image-repositories - match: - any: - - resources: - kinds: - - ImageRepository - operations: - - CREATE - - UPDATE - exclude: - any: - - resources: - namespaces: - - flux-system - validate: - cel: - expressions: - - expression: "object.spec.?image.orValue('').startsWith('ghcr.io/myorg/')" - message: ".spec.image must be from an image repository within the myorg organization." - diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml deleted file mode 100644 index 035895270..000000000 --- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/kyverno/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:kyverno/bar \ No newline at end of file diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad.yaml deleted file mode 100644 index 035895270..000000000 --- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/kyverno/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:kyverno/bar \ No newline at end of file diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/chainsaw-test-rename-after-issue-10313-fix.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/chainsaw-test-rename-after-issue-10313-fix.yaml deleted file mode 100644 index 43dbc87b0..000000000 --- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/chainsaw-test-rename-after-issue-10313-fix.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-git-repositories -spec: - steps: - - name: 01 - Create policy and verify - try: - - apply: - file: ../verify-git-repositories.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: verify-git-repositories - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create good GitRepository - try: - - apply: - file: good-gitrepositories.yaml - - name: 03 - Create bad GitRepository - try: - - apply: - file: bad-gitrepositories.yaml - expect: - - check: - ($error != null): true diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml deleted file mode 100644 index e4ef8599c..000000000 --- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/fluxcd/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:fluxcd/bar \ No newline at end of file diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good.yaml deleted file mode 100644 index e4ef8599c..000000000 --- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/fluxcd/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:fluxcd/bar \ No newline at end of file diff --git a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml deleted file mode 100644 index 5155b9eeb..000000000 --- a/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-git-repositories -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml b/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e15021fd6..000000000 --- a/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-git-repositories -policies: -- ../verify-git-repositories.yaml -resources: -- ../.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml -- ../.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml -results: -- policy: verify-git-repositories - rule: github-repositories-only - kind: GitRepository - resources: - - bad-gitrepo-01 - - bad-gitrepo-02 - result: fail -- policy: verify-git-repositories - rule: github-repositories-only - kind: GitRepository - resources: - - good-gitrepo-01 - - good-gitrepo-02 - result: pass - diff --git a/flux-cel/verify-git-repositories/artifacthub-pkg.yml b/flux-cel/verify-git-repositories/artifacthub-pkg.yml deleted file mode 100644 index bdf7ba603..000000000 --- a/flux-cel/verify-git-repositories/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: verify-git-repositories-cel -version: 1.0.0 -displayName: Verify Git Repositories in CEL expressions -description: >- - Ensures that Git repositories used for Flux deployments in a cluster originate from a specific, trusted organization. Prevents the use of untrusted or potentially risky Git repositories. Protects the integrity and security of Flux deployments. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/flux-cel/verify-git-repositories/verify-git-repositories.yaml - ``` -keywords: - - kyverno - - Flux - - CEL Expressions -readme: | - Ensures that Git repositories used for Flux deployments in a cluster originate from a specific, trusted organization. Prevents the use of untrusted or potentially risky Git repositories. Protects the integrity and security of Flux deployments. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Flux in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "GitRepository" -digest: afbbe3a747cf36d5a83bdc425a9a07c2f2da857187aaf8443d74947cb4920926 -createdAt: "2024-05-11T15:08:13Z" - diff --git a/flux-cel/verify-git-repositories/verify-git-repositories.yaml b/flux-cel/verify-git-repositories/verify-git-repositories.yaml deleted file mode 100644 index 5945961f5..000000000 --- a/flux-cel/verify-git-repositories/verify-git-repositories.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-git-repositories - annotations: - policies.kyverno.io/title: Verify Git Repositories in CEL expressions - policies.kyverno.io/category: Flux in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: GitRepository - policies.kyverno.io/description: >- - Ensures that Git repositories used for Flux deployments - in a cluster originate from a specific, trusted organization. - Prevents the use of untrusted or potentially risky Git repositories. - Protects the integrity and security of Flux deployments. -spec: - validationFailureAction: Audit - rules: - - name: github-repositories-only - match: - any: - - resources: - kinds: - - GitRepository - operations: - - CREATE - - UPDATE - exclude: - any: - - resources: - namespaces: - - flux-system - validate: - cel: - expressions: - - expression: "object.spec.url.startsWith('https://github.com/fluxcd/') || object.spec.url.startsWith('ssh://git@github.com:fluxcd/')" - message: .spec.url must be from a repository within the organisation X - diff --git a/flux/generate-flux-multi-tenant-resources/.chainsaw-test/chainsaw-test.yaml b/flux/generate-flux-multi-tenant-resources/.chainsaw-test/chainsaw-test.yaml index 2913966ec..48213ff0f 100755 --- a/flux/generate-flux-multi-tenant-resources/.chainsaw-test/chainsaw-test.yaml +++ b/flux/generate-flux-multi-tenant-resources/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml b/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml index 24d376cbf..89c55d909 100644 --- a/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml +++ b/flux/generate-flux-multi-tenant-resources/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: generate-flux-multi-tenant-resources status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/chainsaw-test.yaml b/flux/verify-flux-images/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index e6dd226a0..000000000 --- a/flux/verify-flux-images/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,116 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-flux-images -spec: - steps: - - name: 01 - Create policy and verify - try: - - apply: - file: ../verify-flux-images.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: verify-flux-images - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Discover tag for fluxcd/source-controller and update Pod - try: - - script: - content: | - #!/bin/bash - set -eu - IMAGEREPO=ghcr.io/fluxcd/source-controller - LATESTTAG=$(oras repo tags $IMAGEREPO | egrep "^v[0-9]+.[0-9]+.[0-9]+$" | sort -V | tail -n1) - MANIFEST=pod-ghcr-source-controller.yaml - echo "Latest version of $IMAGEREPO is $LATESTTAG" - sed -i "s/replacethistag/${LATESTTAG}/g" $MANIFEST - echo "Replaced image is now $(yq e .spec.containers[0].image $MANIFEST)" - - name: 03 - Verify fluxcd/source-controller - try: - - apply: - file: pod-ghcr-source-controller.yaml - - name: 04 - Discover tag for fluxcd/kustomize-controller and update Pod - try: - - script: - content: | - #!/bin/bash - set -eu - IMAGEREPO=ghcr.io/fluxcd/kustomize-controller - LATESTTAG=$(oras repo tags $IMAGEREPO | egrep "^v[0-9]+.[0-9]+.[0-9]+$" | sort -V | tail -n1) - MANIFEST=pod-ghcr-kustomize-controller.yaml - echo "Latest version of $IMAGEREPO is $LATESTTAG" - sed -i "s/replacethistag/${LATESTTAG}/g" $MANIFEST - echo "Replaced image is now $(yq e .spec.containers[0].image $MANIFEST)" - - name: 05 - Verify fluxcd/kustomize-controller - try: - - apply: - file: pod-ghcr-kustomize-controller.yaml - - name: 06 - Discover tag for fluxcd/helm-controller and update Pod - try: - - script: - content: | - #!/bin/bash - set -eu - IMAGEREPO=ghcr.io/fluxcd/helm-controller - LATESTTAG=$(oras repo tags $IMAGEREPO | egrep "^v[0-9]+.[0-9]+.[0-9]+$" | sort -V | tail -n1) - MANIFEST=pod-ghcr-helm-controller.yaml - echo "Latest version of $IMAGEREPO is $LATESTTAG" - sed -i "s/replacethistag/${LATESTTAG}/g" $MANIFEST - echo "Replaced image is now $(yq e .spec.containers[0].image $MANIFEST)" - - name: 07 - Verify fluxcd/helm-controller - try: - - apply: - file: pod-ghcr-helm-controller.yaml - - name: 08 - Discover tag for fluxcd/notification-controller and update Pod - try: - - script: - content: | - #!/bin/bash - set -eu - IMAGEREPO=ghcr.io/fluxcd/notification-controller - LATESTTAG=$(oras repo tags $IMAGEREPO | egrep "^v[0-9]+.[0-9]+.[0-9]+$" | sort -V | tail -n1) - MANIFEST=pod-ghcr-notification-controller.yaml - echo "Latest version of $IMAGEREPO is $LATESTTAG" - sed -i "s/replacethistag/${LATESTTAG}/g" $MANIFEST - echo "Replaced image is now $(yq e .spec.containers[0].image $MANIFEST)" - - name: 09 - Verify fluxcd/notification-controller - try: - - apply: - file: pod-ghcr-notification-controller.yaml - - name: 10 - Discover tag for fluxcd/image-reflector-controller and update Pod - try: - - script: - content: | - #!/bin/bash - set -eu - IMAGEREPO=ghcr.io/fluxcd/image-reflector-controller - LATESTTAG=$(oras repo tags $IMAGEREPO | egrep "^v[0-9]+.[0-9]+.[0-9]+$" | sort -V | tail -n1) - MANIFEST=pod-ghcr-image-reflector-controller.yaml - echo "Latest version of $IMAGEREPO is $LATESTTAG" - sed -i "s/replacethistag/${LATESTTAG}/g" $MANIFEST - echo "Replaced image is now $(yq e .spec.containers[0].image $MANIFEST)" - - name: 11 - Verify fluxcd/image-reflector-controller - try: - - apply: - file: pod-ghcr-image-reflector-controller.yaml - - name: 12 - Discover tag for fluxcd/image-automation-controller and update Pod - try: - - script: - content: | - #!/bin/bash - set -eu - IMAGEREPO=ghcr.io/fluxcd/image-automation-controller - LATESTTAG=$(oras repo tags $IMAGEREPO | egrep "^v[0-9]+.[0-9]+.[0-9]+$" | sort -V | tail -n1) - MANIFEST=pod-ghcr-image-automation-controller.yaml - echo "Latest version of $IMAGEREPO is $LATESTTAG" - sed -i "s/replacethistag/${LATESTTAG}/g" $MANIFEST - echo "Replaced image is now $(yq e .spec.containers[0].image $MANIFEST)" - - name: 13 - Verify fluxcd/image-automation-controller - try: - - apply: - file: pod-ghcr-image-automation-controller.yaml diff --git a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-helm-controller.yaml b/flux/verify-flux-images/.chainsaw-test/pod-ghcr-helm-controller.yaml deleted file mode 100644 index c07d98031..000000000 --- a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-helm-controller.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-ghcr-helm-controller -spec: - containers: - - name: pod-ghcr-helm-controller - image: ghcr.io/fluxcd/helm-controller:replacethistag \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-image-automation-controller.yaml b/flux/verify-flux-images/.chainsaw-test/pod-ghcr-image-automation-controller.yaml deleted file mode 100644 index bf0dcef8e..000000000 --- a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-image-automation-controller.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-ghcr-image-automation-controller -spec: - containers: - - name: pod-ghcr-image-automation-controller - image: ghcr.io/fluxcd/image-automation-controller:replacethistag \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-image-reflector-controller.yaml b/flux/verify-flux-images/.chainsaw-test/pod-ghcr-image-reflector-controller.yaml deleted file mode 100644 index 1653f8e12..000000000 --- a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-image-reflector-controller.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-ghcr-image-reflector-controller -spec: - containers: - - name: pod-ghcr-image-reflector-controller - image: ghcr.io/fluxcd/image-reflector-controller:replacethistag \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-kustomize-controller.yaml b/flux/verify-flux-images/.chainsaw-test/pod-ghcr-kustomize-controller.yaml deleted file mode 100644 index e3a48659f..000000000 --- a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-kustomize-controller.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-ghcr-kustomize-controller -spec: - containers: - - name: pod-ghcr-kustomize-controller - image: ghcr.io/fluxcd/kustomize-controller:replacethistag \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-notification-controller.yaml b/flux/verify-flux-images/.chainsaw-test/pod-ghcr-notification-controller.yaml deleted file mode 100644 index a6edca36d..000000000 --- a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-notification-controller.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-ghcr-notification-controller -spec: - containers: - - name: pod-ghcr-notification-controller - image: ghcr.io/fluxcd/notification-controller:replacethistag \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-source-controller.yaml b/flux/verify-flux-images/.chainsaw-test/pod-ghcr-source-controller.yaml deleted file mode 100644 index 7e14fb532..000000000 --- a/flux/verify-flux-images/.chainsaw-test/pod-ghcr-source-controller.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-ghcr-source-controller -spec: - containers: - - name: pod-ghcr-source-controller - image: ghcr.io/fluxcd/source-controller:replacethistag \ No newline at end of file diff --git a/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml b/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index da74467e6..000000000 --- a/flux/verify-flux-images/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-flux-images -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/flux/verify-flux-images/artifacthub-pkg.yml b/flux/verify-flux-images/artifacthub-pkg.yml deleted file mode 100644 index c96173631..000000000 --- a/flux/verify-flux-images/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: verify-flux-images -version: 1.0.0 -displayName: Verify Flux Images -createdAt: "2024-03-01T06:00:33.000Z" -description: >- - Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/flux/verify-flux-images/verify-flux-images.yaml - ``` -keywords: - - kyverno - - Flux -readme: | - Ensures that container images used to run Flux controllers in the cluster are signed with valid Cosign signatures. Prevents the deployment of untrusted or potentially compromised Flux images. Protects the integrity and security of the Flux deployment process. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Flux" - kyverno/kubernetesVersion: "1.23" - kyverno/subject: "Pod" -digest: 2c2cd329a65c5a989701d1ab63f1953851ab151605c033c1e89d521b144feadc \ No newline at end of file diff --git a/flux/verify-flux-images/verify-flux-images.yaml b/flux/verify-flux-images/verify-flux-images.yaml deleted file mode 100644 index 615d674c5..000000000 --- a/flux/verify-flux-images/verify-flux-images.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-flux-images - annotations: - policies.kyverno.io/title: Verify Flux Images - policies.kyverno.io/category: Flux - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.2 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/subject: GitRepository - policies.kyverno.io/description: >- - Ensures that container images used to run Flux controllers in the cluster - are signed with valid Cosign signatures. Prevents the deployment of untrusted - or potentially compromised Flux images. Protects the integrity and security - of the Flux deployment process. -spec: - validationFailureAction: Audit - background: false - rules: - - name: verify-cosign-signature - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "ghcr.io/fluxcd/source-controller:*" - - "ghcr.io/fluxcd/kustomize-controller:*" - - "ghcr.io/fluxcd/helm-controller:*" - - "ghcr.io/fluxcd/notification-controller:*" - - "ghcr.io/fluxcd/image-reflector-controller:*" - - "ghcr.io/fluxcd/image-automation-controller:*" - - "docker.io/fluxcd/source-controller:*" - - "docker.io/fluxcd/kustomize-controller:*" - - "docker.io/fluxcd/helm-controller:*" - - "docker.io/fluxcd/notification-controller:*" - - "docker.io/fluxcd/image-reflector-controller:*" - - "docker.io/fluxcd/image-automation-controller:*" - mutateDigest: false - verifyDigest: false - attestors: - - entries: - - keyless: - subject: "https://github.com/fluxcd/*" - issuer: "https://token.actions.githubusercontent.com" - rekor: - url: https://rekor.sigstore.dev diff --git a/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 262f00af3..30e325f84 100755 --- a/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: verify-flux-sources status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/flux/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml b/flux/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml index bfb02ea30..255e631de 100755 --- a/flux/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../verify-flux-sources.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: verify-flux-sources - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../verify-flux-sources.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - assert: @@ -62,3 +54,10 @@ spec: file: repo-good-helm.yaml - apply: file: repo-good-image.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: verify-flux-sources diff --git a/flux/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml b/flux/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml index 62998778b..cfaaa89f2 100644 --- a/flux/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml @@ -1,7 +1,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: bad-gitrepo-01 + name: gitrepo-01 spec: interval: 5m0s url: https://github.com/notmyorg/podinfo \ No newline at end of file diff --git a/flux/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml b/flux/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml index 11a996a11..aa017599f 100644 --- a/flux/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml @@ -1,7 +1,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: bad-helmrepo-01 + name: helmrepo-03 spec: interval: 5m0s url: https://helmrepo.github.io/podinfo \ No newline at end of file diff --git a/flux/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml b/flux/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml index 0669a4190..b9bedb513 100644 --- a/flux/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/repo-good-bucket.yaml @@ -1,7 +1,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: Bucket metadata: - name: good-bucket-01 + name: bucket-01 spec: interval: 5m0s endpoint: minio.myorg.com @@ -10,7 +10,7 @@ spec: apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: Bucket metadata: - name: good-bucket-02 + name: bucket-02 namespace: flux-system spec: interval: 5m0s diff --git a/flux/verify-flux-sources/.chainsaw-test/repo-good-git.yaml b/flux/verify-flux-sources/.chainsaw-test/repo-good-git.yaml index e98df9e9c..8178ad444 100644 --- a/flux/verify-flux-sources/.chainsaw-test/repo-good-git.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/repo-good-git.yaml @@ -1,7 +1,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: good-gitrepo-01 + name: gitrepo-01 spec: interval: 5m0s url: https://github.com/myorg/podinfo @@ -9,7 +9,7 @@ spec: apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: good-gitrepo-02 + name: gitrepo-02 spec: interval: 5m0s url: ssh://git@github.com:myorg/podinfo @@ -17,7 +17,7 @@ spec: apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: good-gitrepo-03 + name: gitrepo-03 namespace: flux-system spec: interval: 5m0s diff --git a/flux/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml b/flux/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml index 17b32fd4c..a1b57a1c4 100644 --- a/flux/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/repo-good-helm.yaml @@ -1,7 +1,7 @@ apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: good-helmrepo-01 + name: helmrepo-01 spec: interval: 5m0s url: https://helmrepo.myorg.com/podinfo @@ -9,7 +9,7 @@ spec: apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: - name: good-helmrepo-02 + name: helmrepo-02 namespace: flux-system spec: interval: 5m0s diff --git a/flux/verify-flux-sources/.chainsaw-test/repo-good-image.yaml b/flux/verify-flux-sources/.chainsaw-test/repo-good-image.yaml index beebfd1aa..a4075d163 100644 --- a/flux/verify-flux-sources/.chainsaw-test/repo-good-image.yaml +++ b/flux/verify-flux-sources/.chainsaw-test/repo-good-image.yaml @@ -1,7 +1,7 @@ apiVersion: image.toolkit.fluxcd.io/v1beta2 kind: ImageRepository metadata: - name: good-imagerepo-01 + name: imagerepo-01 spec: image: ghcr.io/myorg/ interval: 1h @@ -10,7 +10,7 @@ spec: apiVersion: image.toolkit.fluxcd.io/v1beta2 kind: ImageRepository metadata: - name: good-imagerepo-02 + name: imagerepo-02 namespace: flux-system spec: image: nothing.io/notmyorg/ diff --git a/flux/verify-flux-sources/.kyverno-test/kyverno-test.yaml b/flux/verify-flux-sources/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e455f191c..000000000 --- a/flux/verify-flux-sources/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-flux-sources -policies: -- ../verify-flux-sources.yaml -resources: -- ../.chainsaw-test/repo-bad-bucket.yaml -- ../.chainsaw-test/repo-bad-git.yaml -- ../.chainsaw-test/repo-bad-helm.yaml -- ../.chainsaw-test/repo-bad-image.yaml -- ../.chainsaw-test/repo-good-bucket.yaml -- ../.chainsaw-test/repo-good-git.yaml -- ../.chainsaw-test/repo-good-helm.yaml -- ../.chainsaw-test/repo-good-image.yaml -results: -- policy: verify-flux-sources - rule: flux-github-repositories - kind: GitRepository - resources: - - bad-gitrepo-01 - result: fail -- policy: verify-flux-sources - rule: flux-github-repositories - kind: GitRepository - resources: - - good-gitrepo-01 - - good-gitrepo-02 - result: pass -- policy: verify-flux-sources - rule: flux-buckets - kind: Bucket - resources: - - bucket-bad - result: fail -- policy: verify-flux-sources - rule: flux-buckets - kind: Bucket - resources: - - good-bucket-01 - result: pass -- policy: verify-flux-sources - rule: flux-helm-repositories - kind: HelmRepository - resources: - - bad-helmrepo-01 - result: fail -- policy: verify-flux-sources - rule: flux-helm-repositories - kind: HelmRepository - resources: - - good-helmrepo-01 - result: pass -- policy: verify-flux-sources - rule: flux-image-repositories - kind: ImageRepository - resources: - - imagerepo-bad - result: fail -- policy: verify-flux-sources - rule: flux-image-repositories - kind: ImageRepository - resources: - - good-imagerepo-01 - result: pass - diff --git a/flux/verify-flux-sources/artifacthub-pkg.yml b/flux/verify-flux-sources/artifacthub-pkg.yml index e595d546b..76a55c33c 100644 --- a/flux/verify-flux-sources/artifacthub-pkg.yml +++ b/flux/verify-flux-sources/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Flux" kyverno/kubernetesVersion: "1.23" kyverno/subject: "GitRepository, Bucket, HelmRepository, ImageRepository" -digest: 36729a3f5f13572a543a7326be1dbd83323b17b24c78777ea86e318065d58f7b +digest: 7bd73534dccd558c7114c3c3cf09d03d9ca98a13096dca0a7f44b5b11b55ae84 diff --git a/flux/verify-flux-sources/verify-flux-sources.yaml b/flux/verify-flux-sources/verify-flux-sources.yaml index fd512ea49..f21f782ad 100644 --- a/flux/verify-flux-sources/verify-flux-sources.yaml +++ b/flux/verify-flux-sources/verify-flux-sources.yaml @@ -18,7 +18,7 @@ metadata: accessing outside sources. This policy verifies that each of the Flux sources comes from a trusted location. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: flux-github-repositories match: diff --git a/flux/verify-git-repositories/.chainsaw-test/bad-gitrepositories.yaml b/flux/verify-git-repositories/.chainsaw-test/bad-gitrepositories.yaml deleted file mode 100644 index 035895270..000000000 --- a/flux/verify-git-repositories/.chainsaw-test/bad-gitrepositories.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/kyverno/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:kyverno/bar \ No newline at end of file diff --git a/flux/verify-git-repositories/.chainsaw-test/bad.yaml b/flux/verify-git-repositories/.chainsaw-test/bad.yaml deleted file mode 100644 index 035895270..000000000 --- a/flux/verify-git-repositories/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/kyverno/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: bad-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:kyverno/bar \ No newline at end of file diff --git a/flux/verify-git-repositories/.chainsaw-test/chainsaw-test.yaml b/flux/verify-git-repositories/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 43dbc87b0..000000000 --- a/flux/verify-git-repositories/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-git-repositories -spec: - steps: - - name: 01 - Create policy and verify - try: - - apply: - file: ../verify-git-repositories.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: verify-git-repositories - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create good GitRepository - try: - - apply: - file: good-gitrepositories.yaml - - name: 03 - Create bad GitRepository - try: - - apply: - file: bad-gitrepositories.yaml - expect: - - check: - ($error != null): true diff --git a/flux/verify-git-repositories/.chainsaw-test/good-gitrepositories.yaml b/flux/verify-git-repositories/.chainsaw-test/good-gitrepositories.yaml deleted file mode 100644 index e4ef8599c..000000000 --- a/flux/verify-git-repositories/.chainsaw-test/good-gitrepositories.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/fluxcd/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:fluxcd/bar \ No newline at end of file diff --git a/flux/verify-git-repositories/.chainsaw-test/good.yaml b/flux/verify-git-repositories/.chainsaw-test/good.yaml deleted file mode 100644 index e4ef8599c..000000000 --- a/flux/verify-git-repositories/.chainsaw-test/good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-01 -spec: - interval: 5m0s - url: https://github.com/fluxcd/foo ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: good-gitrepo-02 -spec: - interval: 5m0s - url: ssh://git@github.com:fluxcd/bar \ No newline at end of file diff --git a/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml b/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 5155b9eeb..000000000 --- a/flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-git-repositories -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/flux/verify-git-repositories/.kyverno-test/kyverno-test.yaml b/flux/verify-git-repositories/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 91bae26eb..000000000 --- a/flux/verify-git-repositories/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-git-repositories -policies: -- ../verify-git-repositories.yaml -resources: -- ../.chainsaw-test/good-gitrepositories.yaml -- ../.chainsaw-test/bad-gitrepositories.yaml -results: -- policy: verify-git-repositories - rule: github-repositories-only - kind: GitRepository - resources: - - bad-gitrepo-01 - - bad-gitrepo-02 - result: fail -- policy: verify-git-repositories - rule: github-repositories-only - kind: GitRepository - resources: - - good-gitrepo-01 - - good-gitrepo-02 - result: pass - diff --git a/flux/verify-git-repositories/artifacthub-pkg.yml b/flux/verify-git-repositories/artifacthub-pkg.yml deleted file mode 100644 index b56836c11..000000000 --- a/flux/verify-git-repositories/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: verify-git-repositories -version: 1.0.0 -displayName: Verify Git Repositories -createdAt: "2024-03-01T06:00:33.000Z" -description: >- - Ensures that Git repositories used for Flux deployments in a cluster originate from a specific, trusted organization. Prevents the use of untrusted or potentially risky Git repositories. Protects the integrity and security of Flux deployments. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/flux/verify-git-repositories/verify-git-repositories.yaml - ``` -keywords: - - kyverno - - Flux -readme: | - Ensures that Git repositories used for Flux deployments in a cluster originate from a specific, trusted organization. Prevents the use of untrusted or potentially risky Git repositories. Protects the integrity and security of Flux deployments. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Flux" - kyverno/kubernetesVersion: "1.23" - kyverno/subject: "GitRepository" -digest: 393d591c71b50d5a878a117544705691e6a342f84d02c8b4b6aeeda640e0cac4 \ No newline at end of file diff --git a/flux/verify-git-repositories/verify-git-repositories.yaml b/flux/verify-git-repositories/verify-git-repositories.yaml deleted file mode 100644 index 0c2a830a9..000000000 --- a/flux/verify-git-repositories/verify-git-repositories.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-git-repositories - annotations: - policies.kyverno.io/title: Verify Git Repositories - policies.kyverno.io/category: Flux - policies.kyverno.io/severity: medium - kyverno.io/kubernetes-version: "1.23" - policies.kyverno.io/subject: GitRepository - policies.kyverno.io/description: >- - Ensures that Git repositories used for Flux deployments - in a cluster originate from a specific, trusted organization. - Prevents the use of untrusted or potentially risky Git repositories. - Protects the integrity and security of Flux deployments. -spec: - validationFailureAction: Audit - rules: - - name: github-repositories-only - match: - any: - - resources: - kinds: - - GitRepository - exclude: - any: - - resources: - namespaces: - - flux-system - validate: - message: .spec.url must be from a repository within the organisation X - pattern: - spec: - url: https://github.com/fluxcd/?* | ssh://git@github.com:fluxcd/?* diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index c160abb64..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-sidecar-injection-namespace -spec: - steps: - - name: step-01 - try: - - apply: - file: ../enforce-sidecar-injection-namespace.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-sidecar-injection-namespace - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ns-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad-disabled.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad-nolabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad-somelabel.yaml diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml deleted file mode 100644 index 0eec7ea44..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio-injection: disabled - name: bad-istio-sinj01 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml deleted file mode 100644 index 4caa0efdb..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: bad-istio-sinj03 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml deleted file mode 100644 index d25585d2a..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: enabled - name: bad-istio-sinj02 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml deleted file mode 100644 index a5f30d2ac..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio-injection: enabled - name: good-istio-sinj01 ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: disabled - istio-injection: enabled - bar: enabled - name: good-istio-sinj02 \ No newline at end of file diff --git a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml b/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index d536a3082..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-sidecar-injection-namespace -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml b/istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e457fa2b8..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-sidecar-injection-namespace -policies: -- ../enforce-sidecar-injection-namespace.yaml -resources: -- ../.chainsaw-test/ns-bad-disabled.yaml -- ../.chainsaw-test/ns-bad-nolabel.yaml -- ../.chainsaw-test/ns-bad-somelabel.yaml -- ../.chainsaw-test/ns-good.yaml -results: -- policy: enforce-sidecar-injection-namespace - rule: check-istio-injection-enabled - kind: Namespace - resources: - - bad-istio-sinj01 - - bad-istio-sinj02 - - bad-istio-sinj03 - result: fail -- policy: enforce-sidecar-injection-namespace - rule: check-istio-injection-enabled - kind: Namespace - resources: - - good-istio-sinj01 - - good-istio-sinj02 - result: pass - diff --git a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml deleted file mode 100644 index aa5b2f5f2..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: enforce-sidecar-injection-namespace-cel -version: 1.0.0 -displayName: Enforce Istio Sidecar Injection in CEL expressions -description: >- - In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml - ``` -keywords: - - kyverno - - Istio - - CEL Expressions -readme: | - In order for Istio to inject sidecars to workloads deployed into Namespaces, the label `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Namespace" -digest: 9738fe6b1278148191239c380c074c197841a4926c7ffc1e23cd9a2b22f1175f -createdAt: "2024-05-12T04:38:32Z" - diff --git a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml deleted file mode 100644 index abbb3a4a3..000000000 --- a/istio-cel/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-sidecar-injection-namespace - annotations: - policies.kyverno.io/title: Enforce Istio Sidecar Injection in CEL expressions - policies.kyverno.io/category: Istio in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Namespace - policies.kyverno.io/description: >- - In order for Istio to inject sidecars to workloads deployed into Namespaces, the label - `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces - set `istio-inject` to `enabled`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-istio-injection-enabled - match: - any: - - resources: - kinds: - - Namespace - operations: - - CREATE - validate: - cel: - expressions: - - expression: "object.metadata.?labels[?'istio-injection'].orValue('') == 'enabled'" - message: "All new Namespaces must have Istio sidecar injection enabled." - diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e547cafa5..000000000 --- a/istio-cel/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-strict-mtls -spec: - steps: - - name: step-01 - try: - - apply: - file: ../enforce-strict-mtls.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-strict-mtls - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: pa-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pa-bad.yaml diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 56561a629..000000000 --- a/istio-cel/enforce-strict-mtls/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: peerauthentications.security.istio.io -spec: {} -status: - acceptedNames: - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - singular: peerauthentication - storedVersions: - - v1beta1 diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml deleted file mode 100644 index 771d21f3d..000000000 --- a/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-bad.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: pa-bad01 -spec: - mtls: - mode: PERMISSIVE ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: pa-bad02 -spec: - mtls: - mode: DISABLE ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: pa-bad03 -spec: - selector: - matchLabels: - app: finance - mtls: - mode: DISABLE \ No newline at end of file diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml deleted file mode 100644 index 0d2d9d383..000000000 --- a/istio-cel/enforce-strict-mtls/.chainsaw-test/pa-good.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: good-pa01 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: good-pa02 -spec: - mtls: - mode: UNSET ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: good-pa03 -spec: {} ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: good-pa04 -spec: - selector: - matchLabels: - app: finance - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: good-pa05 -spec: - mtls: {} \ No newline at end of file diff --git a/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml b/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5b830e062..000000000 --- a/istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-strict-mtls -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml b/istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f4018437a..000000000 --- a/istio-cel/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-strict-mtls -policies: -- ../enforce-strict-mtls.yaml -resources: -- ../.chainsaw-test/pa-bad.yaml -- ../.chainsaw-test/pa-good.yaml -results: -- policy: enforce-strict-mtls - rule: validate-mtls - kind: PeerAuthentication - resources: - - pa-bad01 - - pa-bad02 - - pa-bad03 - result: fail -- policy: enforce-strict-mtls - rule: validate-mtls - kind: PeerAuthentication - resources: - - good-pa01 - - good-pa02 - - good-pa03 - - good-pa04 - - good-pa05 - result: pass - diff --git a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml b/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml deleted file mode 100644 index e760f1c9e..000000000 --- a/istio-cel/enforce-strict-mtls/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: enforce-strict-mtls-cel -version: 1.0.0 -displayName: Enforce Istio Strict mTLS in CEL expressions -description: >- - Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml - ``` -keywords: - - kyverno - - Istio - - CEL Expressions -readme: | - Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS can reduce the security for traffic within that portion of the mesh and should be controlled. This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "PeerAuthentication" -digest: 6bf5af52d9187ac5b1b90879ab3975ea618b38d04928ceecd4779fc2b2e4b26a -createdAt: "2024-05-12T04:41:47Z" - diff --git a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml b/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml deleted file mode 100644 index 33747bbfd..000000000 --- a/istio-cel/enforce-strict-mtls/enforce-strict-mtls.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-strict-mtls - annotations: - policies.kyverno.io/title: Enforce Istio Strict mTLS in CEL expressions - policies.kyverno.io/category: Istio in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: PeerAuthentication - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Strict mTLS requires that mutual TLS be enabled across the entire service mesh, which - can be set using a PeerAuthentication resource on a per-Namespace basis and, if set on - the `istio-system` Namespace could disable it across the entire mesh. Disabling mTLS - can reduce the security for traffic within that portion of the mesh and should be controlled. - This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring - the `mode` be set to either `UNSET` or `STRICT`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-mtls - match: - any: - - resources: - kinds: - - PeerAuthentication - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !has(object.spec) || !has(object.spec.mtls) || !has(object.spec.mtls.mode) || - object.spec.mtls.mode in ['UNSET', 'STRICT'] - message: "PeerAuthentication resources may only set UNSET or STRICT for the mode." - diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index a1695faa6..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: prevent-disabling-injection-pods -spec: - steps: - - name: step-01 - try: - - apply: - file: ../prevent-disabling-injection-pods.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-disabling-injection-pods - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 21e4241b3..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - annotations: - app.k8s.io/name: badpod01 - sidecar.istio.io/inject: "false" - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - annotations: - sidecar.istio.io/inject: "false" - app.k8s.io/name: badpod02 - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 2a86675ca..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - annotations: - app.k8s.io/name: goodpod01 - sidecar.istio.io/inject: "true" - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - annotations: - app.k8s.io/name: goodpod02 - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 62bcc2d70..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,89 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - app.k8s.io/name: busybox - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - annotations: - app.k8s.io/name: busybox - sidecar.istio.io/inject: "false" - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - app.k8s.io/name: busybox - sidecar.istio.io/inject: "false" - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - sleep - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - app.k8s.io/name: busybox - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - sleep - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 8954aa77e..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - annotations: - app.k8s.io/name: busybox - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - annotations: - app.k8s.io/name: busybox - sidecar.istio.io/inject: "true" - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - app.k8s.io/name: busybox - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - app.k8s.io/name: busybox - sidecar.istio.io/inject: "true" - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml b/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 2e032de89..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-disabling-injection-pods -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml b/istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 5aa5be9ad..000000000 --- a/istio-cel/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-disabling-injection-pods -policies: -- ../prevent-disabling-injection-pods.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Pod - resources: - - badpod01 - - badpod02 - result: fail -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Deployment - resources: - - baddeploy01 - - baddeploy02 - result: fail -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: CronJob - resources: - - badcronjob01 - - badcronjob02 - result: fail -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Deployment - resources: - - gooddeploy01 - - gooddeploy02 - result: pass -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: CronJob - resources: - - goodcronjob01 - - goodcronjob02 - result: pass - diff --git a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml deleted file mode 100644 index 97787ae11..000000000 --- a/istio-cel/prevent-disabling-injection-pods/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: prevent-disabling-injection-pods-cel -version: 1.0.0 -displayName: Prevent Disabling Istio Sidecar Injection in CEL expressions -description: >- - One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml - ``` -keywords: - - kyverno - - Istio - - CEL Expressions -readme: | - One way sidecar injection in an Istio service mesh may be accomplished is by defining an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 97408c8377b12760f93ab481284a80e6ac7b78f3d04bc89bb44ab55e32054f5c -createdAt: "2024-05-12T04:48:58Z" - diff --git a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml deleted file mode 100644 index 816434746..000000000 --- a/istio-cel/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-disabling-injection-pods - annotations: - policies.kyverno.io/title: Prevent Disabling Istio Sidecar Injection in CEL expressions - policies.kyverno.io/category: Istio in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - One way sidecar injection in an Istio service mesh may be accomplished is by defining - an annotation at the Pod level. Pods not receiving a sidecar cannot participate in the mesh - thereby reducing visibility. This policy ensures that Pods cannot set the annotation - `sidecar.istio.io/inject` to a value of `false`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: prohibit-inject-annotation - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?annotations[?'sidecar.istio.io/inject'].orValue('') != 'false' - message: "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false." - diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml deleted file mode 100644 index 71651310f..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: ambient - name: istio-test-en-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml deleted file mode 100644 index 32cbd8936..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: other - name: istio-test-dis-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml deleted file mode 100644 index 6b17ee831..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: istio-test-none-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml deleted file mode 100644 index 7b14de9b6..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: bar - name: istio-test-alt-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 51c8ca8fb..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: add-ambient-mode-namespace -spec: - steps: - - name: step-01 - try: - - apply: - file: ../add-ambient-mode-namespace.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: chainsaw-step-02-apply-1.yaml - - apply: - file: chainsaw-step-02-apply-2.yaml - - apply: - file: chainsaw-step-02-apply-3.yaml - - apply: - file: chainsaw-step-02-apply-4.yaml - - name: step-03 - try: - - assert: - file: patched-ns-alt.yaml - - assert: - file: patched-ns-disabled.yaml - - assert: - file: patched-ns-enabled.yaml - - assert: - file: patched-ns-none.yaml diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml deleted file mode 100644 index 7ad1fb2fe..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: bar - istio.io/dataplane-mode: ambient - name: istio-test-alt-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml deleted file mode 100644 index 95de97e29..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: ambient - name: istio-test-dis-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml deleted file mode 100644 index ee122e92b..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: ambient - name: istio-test-en-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml deleted file mode 100644 index c13793cf5..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: ambient - name: istio-test-none-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index b589170fd..000000000 --- a/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-ambient-mode-namespace -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml b/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 1b1fa13e0..000000000 --- a/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: add-ambient-mode-namespace -policies: -- ../add-ambient-mode-namespace.yaml -resources: -- ../.chainsaw-test/patched-ns-disabled.yaml -- ../.chainsaw-test/patched-ns-enabled.yaml -- ../.chainsaw-test/patched-ns-alt.yaml -- ../.chainsaw-test/patched-ns-none.yaml -results: -- policy: add-ambient-mode-namespace - rule: check-ambient-mode-enabled - kind: Namespace - resources: - - istio-test-none-ns - - istio-test-dis-ns - - istio-test-en-ns - - istio-test-alt-ns - result: pass diff --git a/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml b/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml deleted file mode 100644 index df5fd0992..000000000 --- a/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-ambient-mode-namespace - annotations: - policies.kyverno.io/title: Add Istio Ambient Mode - policies.kyverno.io/category: Istio - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" - policies.kyverno.io/subject: Namespace - policies.kyverno.io/description: >- - In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` - must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already - contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` - set to `ambient` for all new Namespaces. -spec: - rules: - - name: add-ambient-mode-enabled - match: - any: - - resources: - kinds: - - Namespace - mutate: - patchStrategicMerge: - metadata: - labels: - istio.io/dataplane-mode: ambient diff --git a/istio/add-ambient-mode-namespace/artifacthub-pkg.yml b/istio/add-ambient-mode-namespace/artifacthub-pkg.yml deleted file mode 100644 index 7d3226555..000000000 --- a/istio/add-ambient-mode-namespace/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: add-ambient-mode-namespace -version: 1.0.0 -displayName: Add Istio Ambient Mode -createdAt: "2024-07-25T20:07:52.000Z" -description: >- - In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml - ``` -keywords: - - kyverno - - Istio -readme: | - In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.24" - kyverno/subject: "Namespace" -digest: f81b9ba15c410e62589f0bf79b22a694b41a2294557c91d3c87683772922a8c0 diff --git a/istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml index 40172e466..e25532f02 100755 --- a/istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml +++ b/istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml b/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml index 9b37e7c50..350145f08 100644 --- a/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml +++ b/istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-sidecar-injection-namespace status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml b/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml index d5308e06a..096333ba0 100755 --- a/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml +++ b/istio/create-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,8 +11,6 @@ spec: file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - - apply: - file: permissions.yaml - apply: file: chainsaw-step-02-apply-1.yaml - name: step-04 diff --git a/istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml b/istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml deleted file mode 100644 index 5075ffc73..000000000 --- a/istio/create-authorizationpolicy/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:istio:auth:view - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - 'security.istio.io' - resources: - - authorizationpolicies - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:istio:auth:edit - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - 'security.istio.io' - resources: - - authorizationpolicies - verbs: - - create - - update - - delete diff --git a/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml b/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml index 6e8841185..dae62e0d2 100644 --- a/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml +++ b/istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: create-authorizationpolicy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100644 index 8c6d4630d..000000000 --- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-ambient-mode-namespace -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index ba6b3d82f..000000000 --- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-ambient-mode-namespace -spec: - steps: - - name: step-01 - try: - - apply: - file: ../enforce-ambient-mode-namespace.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-ambient-mode-namespace - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: ns-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad-disabled.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad-nolabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad-somelabel.yaml diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml deleted file mode 100644 index 0915ecd8e..000000000 --- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: other - name: bad-istio-amb01 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml deleted file mode 100644 index 50c60d84f..000000000 --- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: bad-istio-amb03 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml deleted file mode 100644 index d18925001..000000000 --- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: enabled - name: bad-istio-amb02 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml deleted file mode 100644 index 7520123b5..000000000 --- a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - istio.io/dataplane-mode: ambient - name: good-istio-amb01 ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: disabled - istio.io/dataplane-mode: ambient - bar: enabled - name: good-istio-amb02 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml b/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e2e458be1..000000000 --- a/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-ambient-mode-namespace -policies: -- ../enforce-ambient-mode-namespace.yaml -resources: -- ../.chainsaw-test/ns-bad-disabled.yaml -- ../.chainsaw-test/ns-bad-nolabel.yaml -- ../.chainsaw-test/ns-bad-somelabel.yaml -- ../.chainsaw-test/ns-good.yaml -results: -- policy: enforce-ambient-mode-namespace - rule: check-ambient-mode-enabled - kind: Namespace - resources: - - bad-istio-amb01 - - bad-istio-amb02 - - bad-istio-amb03 - result: fail -- policy: enforce-ambient-mode-namespace - rule: check-ambient-mode-enabled - kind: Namespace - resources: - - good-istio-amb01 - - good-istio-amb02 - result: pass - diff --git a/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml deleted file mode 100644 index e63c70900..000000000 --- a/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: enforce-ambient-mode-namespace -version: 1.0.0 -displayName: Enforce Istio Ambient Mode -createdAt: "2024-07-25T20:07:52.000Z" -description: >- - In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml - ``` -keywords: - - kyverno - - Istio -readme: | - In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.24" - kyverno/subject: "Namespace" -digest: a098ef222829beed7f5f33a4ea85690c3eac2dde8d7fb96f8ecb2cccf7d64f0c diff --git a/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml deleted file mode 100644 index c5c0b0efa..000000000 --- a/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-ambient-mode-namespace - annotations: - policies.kyverno.io/title: Enforce Istio Ambient Mode - policies.kyverno.io/category: Istio - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.8.0 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.24" - policies.kyverno.io/subject: Namespace - policies.kyverno.io/description: >- - In order for Istio to include namespaces in ambient mode, the label - `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces - set `istio.io/dataplane-mode` to `ambient`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-amblient-mode-enabled - match: - any: - - resources: - kinds: - - Namespace - validate: - message: "All new Namespaces must have Istio ambient mode enabled." - pattern: - metadata: - labels: - istio.io/dataplane-mode: ambient diff --git a/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml index d536a3082..acc3f29fb 100755 --- a/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: enforce-sidecar-injection-namespace status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml index 85ad2e8d1..abe11ae56 100755 --- a/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml +++ b/istio/enforce-sidecar-injection-namespace/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../enforce-sidecar-injection-namespace.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-sidecar-injection-namespace - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../enforce-sidecar-injection-namespace.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -39,3 +31,10 @@ spec: - check: ($error != null): true file: ns-bad-somelabel.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: enforce-sidecar-injection-namespace diff --git a/istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml b/istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e457fa2b8..000000000 --- a/istio/enforce-sidecar-injection-namespace/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-sidecar-injection-namespace -policies: -- ../enforce-sidecar-injection-namespace.yaml -resources: -- ../.chainsaw-test/ns-bad-disabled.yaml -- ../.chainsaw-test/ns-bad-nolabel.yaml -- ../.chainsaw-test/ns-bad-somelabel.yaml -- ../.chainsaw-test/ns-good.yaml -results: -- policy: enforce-sidecar-injection-namespace - rule: check-istio-injection-enabled - kind: Namespace - resources: - - bad-istio-sinj01 - - bad-istio-sinj02 - - bad-istio-sinj03 - result: fail -- policy: enforce-sidecar-injection-namespace - rule: check-istio-injection-enabled - kind: Namespace - resources: - - good-istio-sinj01 - - good-istio-sinj02 - result: pass - diff --git a/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml b/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml index b929f1aad..ba5c3901c 100644 --- a/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml +++ b/istio/enforce-sidecar-injection-namespace/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Istio" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Namespace" -digest: 4d6f6b0757d0d1467aa84bddbdeae3faa9a14acbf2453a03e8f91194e5e4d739 +digest: bef6a662a8eabeb1e615f5b1bc46200d9212d0f47e62e5705a31242082ccc2ef diff --git a/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml b/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml index 509911062..77c10fc68 100644 --- a/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml +++ b/istio/enforce-sidecar-injection-namespace/enforce-sidecar-injection-namespace.yaml @@ -15,7 +15,7 @@ metadata: `istio-injection` must be set to `enabled`. This policy ensures that all new Namespaces set `istio-inject` to `enabled`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-istio-injection-enabled diff --git a/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 5b830e062..c5f7637cb 100755 --- a/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: enforce-strict-mtls status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml b/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml index 42a348d52..16c2d0908 100755 --- a/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml +++ b/istio/enforce-strict-mtls/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../enforce-strict-mtls.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-strict-mtls - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../enforce-strict-mtls.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - assert: @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: pa-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: enforce-strict-mtls diff --git a/istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml b/istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f4018437a..000000000 --- a/istio/enforce-strict-mtls/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-strict-mtls -policies: -- ../enforce-strict-mtls.yaml -resources: -- ../.chainsaw-test/pa-bad.yaml -- ../.chainsaw-test/pa-good.yaml -results: -- policy: enforce-strict-mtls - rule: validate-mtls - kind: PeerAuthentication - resources: - - pa-bad01 - - pa-bad02 - - pa-bad03 - result: fail -- policy: enforce-strict-mtls - rule: validate-mtls - kind: PeerAuthentication - resources: - - good-pa01 - - good-pa02 - - good-pa03 - - good-pa04 - - good-pa05 - result: pass - diff --git a/istio/enforce-strict-mtls/artifacthub-pkg.yml b/istio/enforce-strict-mtls/artifacthub-pkg.yml index c3f2482dc..8206d79c9 100644 --- a/istio/enforce-strict-mtls/artifacthub-pkg.yml +++ b/istio/enforce-strict-mtls/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Istio" kyverno/kubernetesVersion: "1.24" kyverno/subject: "PeerAuthentication" -digest: 9febcaf60d14baf9d3ced147ed586aa3bde99d8f1296ff318355c708b39748a1 +digest: 1e7fbe8c0819be0142c61113b26cbcfe19ec3ca65a9b336165cbe0b1dc1b22b7 diff --git a/istio/enforce-strict-mtls/enforce-strict-mtls.yaml b/istio/enforce-strict-mtls/enforce-strict-mtls.yaml index 91167b572..2d3dfe81d 100644 --- a/istio/enforce-strict-mtls/enforce-strict-mtls.yaml +++ b/istio/enforce-strict-mtls/enforce-strict-mtls.yaml @@ -18,7 +18,7 @@ metadata: This policy prevents disabling strict mTLS in a PeerAuthentication resource by requiring the `mode` be set to either `UNSET` or `STRICT`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-mtls diff --git a/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml index fd57ad415..a79bc18f7 100755 --- a/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: enforce-tls-hosts-host-subnets status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml b/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml index 5e326306f..b505f5b66 100755 --- a/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml +++ b/istio/enforce-tls-hosts-host-subnets/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../enforce-tls-hosts-host-subnets.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-tls-hosts-host-subnets - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../enforce-tls-hosts-host-subnets.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - assert: @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: dr-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: enforce-tls-hosts-host-subnets diff --git a/istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml b/istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8b2e1cf9b..000000000 --- a/istio/enforce-tls-hosts-host-subnets/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-tls-hosts-host-subnets -policies: -- ../enforce-tls-hosts-host-subnets.yaml -resources: -- ../.chainsaw-test/dr-bad.yaml -- ../.chainsaw-test/dr-good.yaml -results: -- policy: enforce-tls-hosts-host-subnets - rule: destrule - kind: DestinationRule - resources: - - bad-dr01 - - bad-dr02 - result: fail -- policy: enforce-tls-hosts-host-subnets - rule: destrule - kind: DestinationRule - resources: - - good-dr01 - - good-dr02 - - good-dr03 - - good-dr04 - - good-dr05 - result: pass - diff --git a/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml b/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml index 84efd2692..a29067dea 100644 --- a/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml +++ b/istio/enforce-tls-hosts-host-subnets/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Istio" kyverno/kubernetesVersion: "1.24" kyverno/subject: "DestinationRule" -digest: bc582eafa610d8f2c8cc0e0514b069e632da4ef5742ebf30926435fb382c965f +digest: 4825f2ffc9b90a1ddfc2055dd5afff807725961d52416b3be4276c384f05fc95 diff --git a/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml b/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml index 7dde78fc2..1e7971bcb 100644 --- a/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml +++ b/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml @@ -16,7 +16,7 @@ metadata: to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: destrule diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 2e032de89..4c6866bd0 100755 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: prevent-disabling-injection-pods status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml index 6c32f0cf8..915ac7c52 100755 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../prevent-disabling-injection-pods.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-disabling-injection-pods - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../prevent-disabling-injection-pods.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: prevent-disabling-injection-pods diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml index 21e4241b3..d68283137 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-bad.yaml @@ -10,7 +10,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -19,9 +19,9 @@ metadata: foo: bar annotations: sidecar.istio.io/inject: "false" - app.k8s.io/name: badpod02 - name: badpod02 + app.k8s.io/name: badpod01 + name: badpod01 spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml index 2a86675ca..de1e03c32 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/pod-good.yaml @@ -10,7 +10,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -23,4 +23,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml index 62bcc2d70..ad858a2d7 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-bad.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -42,7 +42,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -53,17 +53,16 @@ spec: jobTemplate: spec: template: - metadata: + spec: annotations: app.k8s.io/name: busybox sidecar.istio.io/inject: "false" - spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - sleep - - "3600" + - 3600 restartPolicy: OnFailure --- apiVersion: batch/v1 @@ -75,15 +74,14 @@ spec: jobTemplate: spec: template: - metadata: + spec: annotations: sidecar.istio.io/inject: "false" app.k8s.io/name: busybox - spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: + image: busybox:1.35 + command: - sleep - - "3600" + - 3600 restartPolicy: OnFailure \ No newline at end of file diff --git a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml index 8954aa77e..387a650ab 100644 --- a/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml +++ b/istio/prevent-disabling-injection-pods/.chainsaw-test/podcontroller-good.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -41,7 +41,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -52,13 +52,12 @@ spec: jobTemplate: spec: template: - metadata: + spec: annotations: app.k8s.io/name: busybox - spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -73,14 +72,13 @@ spec: jobTemplate: spec: template: - metadata: + spec: annotations: app.k8s.io/name: busybox sidecar.istio.io/inject: "true" - spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml b/istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 5aa5be9ad..000000000 --- a/istio/prevent-disabling-injection-pods/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-disabling-injection-pods -policies: -- ../prevent-disabling-injection-pods.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Pod - resources: - - badpod01 - - badpod02 - result: fail -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Deployment - resources: - - baddeploy01 - - baddeploy02 - result: fail -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: CronJob - resources: - - badcronjob01 - - badcronjob02 - result: fail -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: Deployment - resources: - - gooddeploy01 - - gooddeploy02 - result: pass -- policy: prevent-disabling-injection-pods - rule: prohibit-inject-annotation - kind: CronJob - resources: - - goodcronjob01 - - goodcronjob02 - result: pass - diff --git a/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml b/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml index cda4c10a2..c9b718b3c 100644 --- a/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml +++ b/istio/prevent-disabling-injection-pods/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Istio" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 3694d6b6206d2a7e7a0d2cf91e696dc92469a64c66732e325f4824a46bb7c1dc +digest: d9555f2aed790d8fabc6fc8c0ed603f6ee99dce599c4e0114b4a23d0b184fd75 diff --git a/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml b/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml index d8e89e3d6..20e71a2b0 100644 --- a/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml +++ b/istio/prevent-disabling-injection-pods/prevent-disabling-injection-pods.yaml @@ -16,7 +16,7 @@ metadata: thereby reducing visibility. This policy ensures that Pods cannot set the annotation `sidecar.istio.io/inject` to a value of `false`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: prohibit-inject-annotation diff --git a/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml b/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml index b3e41b721..35a5c4751 100755 --- a/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml +++ b/istio/require-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,8 +7,6 @@ spec: steps: - name: step-01 try: - - apply: - file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml b/istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml deleted file mode 100644 index 0d4153746..000000000 --- a/istio/require-authorizationpolicy/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:istio:auth:view - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" -rules: -- apiGroups: - - 'security.istio.io' - resources: - - authorizationpolicies - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml b/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml index 531869ffd..ee13fec52 100644 --- a/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml +++ b/istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: require-authorizationpolicies status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/istio/require-authorizationpolicy/artifacthub-pkg.yml b/istio/require-authorizationpolicy/artifacthub-pkg.yml index 48ec3dc74..a7b09404d 100644 --- a/istio/require-authorizationpolicy/artifacthub-pkg.yml +++ b/istio/require-authorizationpolicy/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Istio" kyverno/kubernetesVersion: "1.24" kyverno/subject: "AuthorizationPolicy" -digest: d9ff9f3b2f3fbbbecb52cc92b14b02717fa497dc8ff3a9df9285b92ebc3c32a1 +digest: 6beea1fe2425e1ae6401738ffdedc3012109e67493b6cebdbb7c84eb79e490b0 diff --git a/istio/require-authorizationpolicy/require-authorizationpolicy.yaml b/istio/require-authorizationpolicy/require-authorizationpolicy.yaml index 6429055f4..1f6a47564 100644 --- a/istio/require-authorizationpolicy/require-authorizationpolicy.yaml +++ b/istio/require-authorizationpolicy/require-authorizationpolicy.yaml @@ -16,7 +16,7 @@ metadata: at least one AuthorizationPolicy. This policy, designed to run in background mode for reporting purposes, ensures every Namespace has at least one AuthorizationPolicy. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-authz-pol diff --git a/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml index b1adfb176..e823cc767 100755 --- a/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-virtual-service-wildcard status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml b/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml index 9f29d00ac..b41d0b369 100755 --- a/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml +++ b/istio/restrict-virtual-service-wildcard/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-virtual-service-wildcard.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-virtual-service-wildcard - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-virtual-service-wildcard.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - assert: @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: bad-vs.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-virtual-service-wildcard diff --git a/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml b/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml index 393023a6c..aa08fe72b 100644 --- a/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml +++ b/istio/restrict-virtual-service-wildcard/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Istio" kyverno/kubernetesVersion: "1.23" kyverno/subject: "VirtualService" -digest: 99689de2d291550cb8ade3458bc15c5e860b1453a09cc13348429ab3fd4de90b +digest: 34ccfc30dd8bb8dd88099456cf3dff05d48ca160d844a897278e18b389f1b394 diff --git a/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml b/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml index a0da5276b..40ebae537 100644 --- a/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml +++ b/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml @@ -18,7 +18,7 @@ metadata: character and allows for more governance when a single mesh deployment model is used. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: block-virtual-service-wildcard diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml deleted file mode 100644 index 30ff5e7df..000000000 --- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,201 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad01 -spec: - initContainers: - - name: istio-init - image: docker.io/istio/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - infinity - # securityContext: - # runAsNonRoot: true - # capabilities: - # add: - # - NET_ADMIN - # - NET_RAW - # - SYS_ADMIN ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad02 -spec: - initContainers: - - name: istio-init - image: docker.io/mymalicious/image:1.2.3 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - infinity - # securityContext: - # runAsNonRoot: true - # capabilities: - # add: - # - NET_ADMIN - # - NET_RAW - # - SYS_ADMIN ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad03 -spec: - containers: - - name: istio-init - image: docker.io/istio/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad04 -spec: - initContainers: - - name: istio-init - image: docker.io/istio/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - infinity - securityContext: - runAsNonRoot: true - capabilities: - add: - - NET_ADMIN - # - NET_RAW - # - SYS_ADMIN diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/chainsaw-test.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index b662dafdc..000000000 --- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: service-mesh-disallow-capabilities -spec: - steps: - - name: Create policy in Enforce mode - try: - - apply: - file: ../service-mesh-disallow-capabilities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: service-mesh-disallow-capabilities - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml -## Resource tests will not be 100% comprehensive because of major overlap with -## the PSS source of this policy. - - name: Create good resources - try: - - apply: - file: good.yaml - - name: Try to create bad resources - try: - - apply: - expect: - - check: - ($error != null): true - file: bad.yaml diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml deleted file mode 100644 index db18be3cc..000000000 --- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/good.yaml +++ /dev/null @@ -1,100 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good01 -spec: - initContainers: - - name: istio-init - image: docker.io/istio/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - # - SYS_ADMIN - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - infinity - # securityContext: - # runAsNonRoot: true - # capabilities: - # add: - # - NET_ADMIN - # - NET_RAW - # - SYS_ADMIN ---- -apiVersion: v1 -kind: Pod -metadata: - name: good02 -spec: - initContainers: - - args: - - --incoming-proxy-port - - "4143" - - --outgoing-proxy-port - - "4140" - - --proxy-uid - - "2102" - - --inbound-ports-to-ignore - - 4190,4191,4567,4568 - - --outbound-ports-to-ignore - - 4567,4568 - image: cr.l5d.io/linkerd/proxy-init:v2.4.0 - name: linkerd-init - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - # - SYS_ADMIN - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault - containers: - - args: - - sleep - - infinity - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - # securityContext: - # runAsNonRoot: true - # capabilities: - # add: - # - NET_ADMIN - # - NET_RAW - # - SYS_ADMIN diff --git a/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml b/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 3506239bf..000000000 --- a/istio/service-mesh-disallow-capabilities/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: service-mesh-disallow-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio/service-mesh-disallow-capabilities/artifacthub-pkg.yml b/istio/service-mesh-disallow-capabilities/artifacthub-pkg.yml deleted file mode 100644 index 52d8c99a2..000000000 --- a/istio/service-mesh-disallow-capabilities/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: service-mesh-disallow-capabilities -version: 1.0.0 -displayName: Service Mesh Disallow Capabilities -createdAt: "2023-05-31T23:00:00.000Z" -description: >- - This policy is a variation of the disallow-capabilities policy that is a part of the Pod Security Standards (Baseline) category. It enforces the same control but with provisions for common service mesh initContainers from Istio and Linkerd which need the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml - ``` -keywords: - - kyverno - - Istio - - Linkerd -readme: | - This policy is a variation of the disallow-capabilities policy that is a part of the Pod Security Standards (Baseline) category. It enforces the same control but with provisions for common service mesh initContainers from Istio and Linkerd which need the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.28" - kyverno/subject: "Pod" -digest: e54bfd4c63648e10d399dd6b2e7bb4c43959c66125f6d086ae0ee73b31a1219c diff --git a/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml b/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml deleted file mode 100644 index aece67bdc..000000000 --- a/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: service-mesh-disallow-capabilities - annotations: - policies.kyverno.io/title: Service Mesh Disallow Capabilities - policies.kyverno.io/category: Istio, Linkerd, Pod Security Standards (Baseline) - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.12.3 - kyverno.io/kubernetes-version: "1.28" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - This policy is a variation of the disallow-capabilities policy that is a part of the - Pod Security Standards (Baseline) category. It enforces the same control but with - provisions for common service mesh initContainers from Istio and Linkerd which need - the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, - see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/. -spec: - validationFailureAction: Audit - background: true - rules: - - name: adding-capabilities-istio-linkerd - match: - any: - - resources: - kinds: - - Pod - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE - context: - - name: capabilities - variable: - value: ["AUDIT_WRITE","CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","MKNOD","NET_BIND_SERVICE","SETFCAP","SETGID","SETPCAP","SETUID","SYS_CHROOT"] - validate: - message: >- - Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, - FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) - are disallowed. Service mesh initContainers may additionally add NET_ADMIN and NET_RAW. - foreach: - - list: request.object.spec.initContainers[] - preconditions: - all: - - key: "{{ element.image }}" - operator: AnyIn - value: - - "*/istio/proxyv2*" - - "*/linkerd/proxy-init*" - - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" - operator: AnyNotIn - value: - - NET_ADMIN - - NET_RAW - - "{{ capabilities }}" - deny: - conditions: - all: - - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" - operator: AnyNotIn - value: "{{ capabilities }}" - message: The service mesh initContainer {{ element.name }} is attempting to add forbidden capabilities. - - list: request.object.spec.initContainers[] - preconditions: - all: - - key: "{{ element.image }}" - operator: AnyNotIn - value: - - "*/istio/proxyv2*" - - "*/linkerd/proxy-init*" - deny: - conditions: - all: - - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" - operator: AnyNotIn - value: "{{ capabilities }}" - message: The initContainer {{ element.name }} is attempting to add forbidden capabilities. - - list: request.object.spec.[ephemeralContainers, containers][] - deny: - conditions: - all: - - key: "{{ element.securityContext.capabilities.add[] || `[]` }}" - operator: AnyNotIn - value: "{{ capabilities }}" - message: The container {{ element.name }} is attempting to add forbidden capabilities. \ No newline at end of file diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml deleted file mode 100644 index c665359f8..000000000 --- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad01 -spec: - initContainers: - - name: istio-init - image: docker.io/mymalicious/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - infinity - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad02 -spec: - initContainers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - "2" - securityContext: - runAsNonRoot: true - containers: - - name: istio-init - image: docker.io/istio/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 \ No newline at end of file diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 66f8bd070..000000000 --- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: service-mesh-require-run-as-nonroot -spec: - steps: - - name: Create policy in Enforce mode - try: - - apply: - file: ../service-mesh-require-run-as-nonroot.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: service-mesh-require-run-as-nonroot - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml -## Resource tests will not be 100% comprehensive because of major overlap with -## the PSS source of this policy. - - name: Create good resources - try: - - apply: - file: good.yaml - - name: Try to create bad resources - try: - - apply: - expect: - - check: - ($error != null): true - file: bad.yaml diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml deleted file mode 100644 index b43fabe72..000000000 --- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/good.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good01 -spec: - initContainers: - - name: istio-init - image: docker.io/istio/proxyv2:1.22.0 - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - - --log_output_level=default:info - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - args: - - sleep - - infinity - securityContext: - runAsNonRoot: true \ No newline at end of file diff --git a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml b/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 84f1f8fca..000000000 --- a/istio/service-mesh-require-run-as-nonroot/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: service-mesh-require-run-as-nonroot -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/istio/service-mesh-require-run-as-nonroot/artifacthub-pkg.yml b/istio/service-mesh-require-run-as-nonroot/artifacthub-pkg.yml deleted file mode 100644 index 5f6997dd3..000000000 --- a/istio/service-mesh-require-run-as-nonroot/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: service-mesh-require-run-as-nonroot -version: 1.0.0 -displayName: Service Mesh Require runAsNonRoot -createdAt: "2023-05-31T23:00:00.000Z" -description: >- - This policy is a variation of the Require runAsNonRoot policy that is a part of the Pod Security Standards (Restricted) category. It enforces the same control but with provisions for Istio's initContainer. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml - ``` -keywords: - - kyverno - - Istio -readme: | - This policy is a variation of the Require runAsNonRoot policy that is a part of the Pod Security Standards (Restricted) category. It enforces the same control but with provisions for Istio's initContainer. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Istio" - kyverno/kubernetesVersion: "1.28" - kyverno/subject: "Pod" -digest: 5c4854ed8cb13cbf74b8182df4a8f6a3d1912188ba13e266ffdfc7a2fb74e7e4 diff --git a/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml b/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml deleted file mode 100644 index dc9759736..000000000 --- a/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: service-mesh-require-run-as-nonroot - annotations: - policies.kyverno.io/title: Service Mesh Require runAsNonRoot - policies.kyverno.io/category: Istio, Pod Security Standards (Restricted) - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.12.3 - kyverno.io/kubernetes-version: "1.28" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - This policy is a variation of the Require runAsNonRoot policy that is a part of the - Pod Security Standards (Restricted) category. It enforces the same control but with - provisions for Istio's initContainer. For more information and context, - see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/. -spec: - validationFailureAction: Audit - background: true - rules: - - name: run-as-non-root-istio - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot - must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, - spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot - must be set to `true`. - anyPattern: - - spec: - securityContext: - runAsNonRoot: true - =(ephemeralContainers): - - =(securityContext): - =(runAsNonRoot): true - =(initContainers): - - (image): "!*istio/proxyv2*" - =(securityContext): - =(runAsNonRoot): true - containers: - - =(securityContext): - =(runAsNonRoot): true - - spec: - =(ephemeralContainers): - - securityContext: - runAsNonRoot: true - =(initContainers): - - (image): "!*istio/proxyv2*" - securityContext: - runAsNonRoot: true - containers: - - securityContext: - runAsNonRoot: true diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/chainsaw-test.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/chainsaw-test.yaml index 6ec7e94d8..e8706dfe7 100755 --- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/chainsaw-test.yaml +++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml index 072f906ea..a31e7ca64 100644 --- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml +++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/patched-resource.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: test - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: system-node-critical --- apiVersion: apps/v1 @@ -31,5 +31,5 @@ spec: spec: containers: - name: test - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: system-node-critical diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml index 4e45c009d..ec47d15a5 100644 --- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml +++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-karpenter-daemonset-priority-class status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml index aa7d5b191..ff19bbf31 100644 --- a/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml +++ b/karpenter/add-karpenter-daemonset-priority-class/.chainsaw-test/resource.yaml @@ -13,7 +13,7 @@ spec: spec: containers: - name: test - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: DaemonSet @@ -30,5 +30,5 @@ spec: spec: containers: - name: test - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: system-node-not-critical diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml index 9f63edf0f..150c5abfd 100755 --- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml +++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml index 88afce3e3..3908e040c 100644 --- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml +++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 \ No newline at end of file diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml index e8bcbcc96..7b48a46b4 100644 --- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml +++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml @@ -14,6 +14,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: OnFailure \ No newline at end of file diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml index c5ce7564c..7329ff5d9 100644 --- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml +++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-karpenter-donot-evict status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml b/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml index d97e2d52e..46f622c67 100644 --- a/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml +++ b/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 @@ -32,6 +32,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: OnFailure \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/chainsaw-test.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/chainsaw-test.yaml index 1abf75bc6..1432c042d 100755 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/chainsaw-test.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml index b66cf0724..14dfa4af3 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg-bad.yaml @@ -9,4 +9,4 @@ spec: karpenter.sh/capacity-type: spot containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml index 8ec12b731..f9b63851c 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-lg.yaml @@ -9,7 +9,7 @@ spec: karpenter.sh/capacity-type: on-demand containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -22,4 +22,4 @@ spec: karpenter.sh/capacity-type: on-demand containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml index 0e0daaa68..97f92406d 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med-bad.yaml @@ -9,4 +9,4 @@ spec: karpenter.sh/capacity-type: on-demand containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml index b3d654d9a..052f8d02c 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-med.yaml @@ -9,7 +9,7 @@ spec: karpenter.sh/capacity-type: spot containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -22,4 +22,4 @@ spec: karpenter.sh/capacity-type: spot containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml index d12a1d0f3..3574a6c39 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/patch-sm-bad.yaml @@ -9,7 +9,7 @@ spec: karpenter.sh/capacity-type: spot containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -22,4 +22,4 @@ spec: karpenter.sh/capacity-type: on-demand containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml index eb3cc093d..0e5bb13b2 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-karpenter-nodeselector status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml b/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml index 9151701d9..6665a981e 100644 --- a/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml +++ b/karpenter/add-karpenter-nodeselector/.chainsaw-test/resource.yaml @@ -27,7 +27,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -37,7 +37,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -50,7 +50,7 @@ spec: karpenter.sh/capacity-type: on-demand containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -60,7 +60,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -73,4 +73,4 @@ spec: karpenter.sh/capacity-type: spot containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/chainsaw-test.yaml index 6f49e6c40..b9d51e160 100755 --- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/chainsaw-test.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml index d0f81a65a..efbb43ebc 100644 --- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others-patched.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: test5-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" @@ -17,7 +17,7 @@ spec: memory: "1Gi" ephemeral-storage: "1Gi" - name: test5-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml index 4ae42012e..23a04613f 100644 --- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/pod-others.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: test5-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" @@ -17,7 +17,7 @@ spec: memory: "500Mi" ephemeral-storage: "500Mi" - name: test5-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml index f166db55c..7dcbc3abd 100644 --- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-patched.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" @@ -28,7 +28,7 @@ spec: memory: "1Gi" ephemeral-storage: "1Gi" - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" @@ -51,7 +51,7 @@ spec: spec: containers: - name: hello-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" @@ -66,7 +66,7 @@ spec: memory: "1Gi" ephemeral-storage: "1Gi" - name: hello-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml index 3e4557bd5..66323381b 100644 --- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/podcontroller-resources.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" @@ -28,7 +28,7 @@ spec: memory: "500Mi" ephemeral-storage: "500Mi" - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" @@ -51,7 +51,7 @@ spec: spec: containers: - name: hello-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" @@ -66,7 +66,7 @@ spec: memory: "500Mi" ephemeral-storage: "500Mi" - name: hello-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" diff --git a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml index 87aecac73..3c3b4feac 100644 --- a/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: set-karpenter-non-cpu-limits status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 81d089924..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: k10-data-protection-by-label -spec: - steps: - - name: step-01 - try: - - apply: - file: ../k10-data-protection-by-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: k10-data-protection-by-label - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: deployment-good.yaml - - apply: - file: ss-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: deployment-bad-badlabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: deployment-bad-nolabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: ss-bad-badlabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: ss-bad-nolabel.yaml - - name: step-98 - try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n k10-dplabel-ns - - script: - content: kubectl delete statefulsets --all --force --grace-period=0 -n k10-dplabel-ns - - script: - content: kubectl delete pods --all --force --grace-period=0 -n k10-dplabel-ns diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml deleted file mode 100644 index 36bd362a8..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy02 - labels: - app: busybox - purpose: production - dataprotection: foo-bar -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml deleted file mode 100644 index b73ff7aaf..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy01 - labels: - app: busybox - purpose: production -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml deleted file mode 100644 index a11bdbc31..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy01 - namespace: k10-dplabel-ns - labels: - app: busybox - purpose: production - dataprotection: k10-goldpolicy -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy02 - namespace: k10-dplabel-ns - labels: - app: busybox - purpose: development - dataprotection: foo-bar -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy03 - namespace: k10-dplabel-ns - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml deleted file mode 100644 index 58b3482d5..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml +++ /dev/null @@ -1,31 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: nginx - labels: - name: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment - namespace: nginx - labels: - app: nginx - purpose: production - dataprotection: none # invalid named K10 Policy!! -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.14.2 - ports: - - containerPort: 80 diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 54fa59bf8..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-data-protection-by-label -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml deleted file mode 100644 index 902760bcf..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: bad-ss02 - labels: - purpose: production - dataprotection: foo-bar -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml deleted file mode 100644 index a710806fe..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: bad-ss01 - labels: - purpose: production -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml b/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml deleted file mode 100644 index 4b55fb60b..000000000 --- a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss01 - namespace: k10-dplabel-ns - labels: - purpose: production - dataprotection: k10-silverpolicy -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss02 - namespace: k10-dplabel-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss02 - namespace: k10-dplabel-ns - labels: - purpose: development - dataprotection: foo-bar -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml b/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml deleted file mode 100644 index b6ef9297e..000000000 --- a/kasten-cel/k10-data-protection-by-label/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: k10-data-protection-by-label-cel -version: 1.0.0 -displayName: Check Data Protection By Label in CEL expressions -description: >- - Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam - - CEL Expressions -readme: | - Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Deployment, StatefulSet" -digest: 8717e4f433a73aa59f79c557f17b75d8d7b5ac22839b4993975bba9cf8fb551b -createdAt: "2024-05-12T07:05:48Z" - diff --git a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml b/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml deleted file mode 100644 index 57294f6f2..000000000 --- a/kasten-cel/k10-data-protection-by-label/k10-data-protection-by-label.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-data-protection-by-label - annotations: - policies.kyverno.io/title: Check Data Protection By Label in CEL expressions - policies.kyverno.io/category: Kasten K10 by Veeam in CEL - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Deployment, StatefulSet - policies.kyverno.io/description: >- - Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. - Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. -spec: - validationFailureAction: Audit - rules: - - name: k10-data-protection-by-label - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - operations: - - CREATE - - UPDATE - selector: - matchLabels: - purpose: production - validate: - cel: - expressions: - - expression: "object.metadata.?labels.?dataprotection.orValue('').startsWith('k10-')" - message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-)" - diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e02442dae..000000000 --- a/kasten-cel/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: k10-hourly-rpo -spec: - steps: - - name: step-01 - try: - - apply: - file: ../k10-hourly-rpo.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: k10-policy-hourly-rpo - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: k10-good-policy.yaml - - apply: - expect: - - check: - ($error != null): true - file: k10-bad-policy.yaml diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/crd-assert.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index d660e00cb..000000000 --- a/kasten-cel/k10-hourly-rpo/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: policies.config.kio.kasten.io -spec: {} -status: - acceptedNames: - kind: Policy - listKind: PolicyList - plural: policies - singular: policy - storedVersions: - - v1alpha1 diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml b/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 41d795a32..000000000 --- a/kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-policy-hourly-rpo -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml b/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml deleted file mode 100644 index bffb28b92..000000000 --- a/kasten-cel/k10-hourly-rpo/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: k10-hourly-rpo-cel -version: 1.0.0 -displayName: Check Hourly RPO in CEL expressions -description: >- - K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam - - CEL Expressions -readme: | - K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Policy" -digest: 4c95862e422636b4900103e9620ed8e41d4cafd86984a1d22e81f35767bb0eef -createdAt: "2024-05-12T07:07:31Z" - diff --git a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml b/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml deleted file mode 100644 index d5f62904f..000000000 --- a/kasten-cel/k10-hourly-rpo/k10-hourly-rpo.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-policy-hourly-rpo - annotations: - policies.kyverno.io/title: Check Hourly RPO in CEL expressions - policies.kyverno.io/category: Kasten K10 by Veeam in CEL - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. - This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical -spec: - validationFailureAction: Audit - rules: - - name: k10-policy-hourly-rpo - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - operations: - - CREATE - - UPDATE - selector: - matchLabels: - appPriority: Mission-Critical - validate: - cel: - expressions: - - expression: "has(object.spec.frequency) && object.spec.frequency == '@hourly'" - message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" - diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 8893c6007..000000000 --- a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: k10-validate-ns-by-preset-label -spec: - steps: - - name: step-01 - try: - - apply: - file: ../k10-validate-ns-by-preset-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: k10-validate-ns-by-preset-label - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - assert: - file: crd-assert.yaml - - name: step-02 - try: - - apply: - file: ns-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/crd-assert.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index d660e00cb..000000000 --- a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: policies.config.kio.kasten.io -spec: {} -status: - acceptedNames: - kind: Policy - listKind: PolicyList - plural: policies - singular: policy - storedVersions: - - v1alpha1 diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml b/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 744ccb78e..000000000 --- a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-validate-ns-by-preset-label -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml deleted file mode 100644 index a09f2fe53..000000000 --- a/kasten-cel/k10-validate-ns-by-preset-label/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: k10-validate-ns-by-preset-label-cel -version: 1.0.0 -displayName: Validate Data Protection by Preset Label in CEL expressions -description: >- - Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml - ``` -keywords: - - kyverno - - Kasten K10 by Veeam - - CEL Expressions -readme: | - Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kasten K10 by Veeam in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Namespace" -digest: c277cd02118d9e63dc9e7b842ac27f261c1cd48a3d79a67660e8742d06af62f1 -createdAt: "2024-05-12T07:09:08Z" - diff --git a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml deleted file mode 100644 index e509b59f6..000000000 --- a/kasten-cel/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml +++ /dev/null @@ -1,42 +0,0 @@ -#NOTE: This example assumes that K10 policy presets named "gold", "silver", and "bronze" have been pre-created and K10 was deployed into the `kasten-io` namespace. -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: k10-validate-ns-by-preset-label - annotations: - policies.kyverno.io/title: Validate Data Protection by Preset Label in CEL expressions - policies.kyverno.io/category: Kasten K10 by Veeam in CEL - policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Kubernetes applications are typically deployed into a single, logical namespace. - Kasten K10 policies will discover and protect all resources within the selected namespace(s). - This policy ensures all new namespaces include a label referencing a valid K10 SLA - (Policy Preset) for data protection.This policy can be used in combination with generate - ClusterPolicy to automatically create a K10 policy based on the specified SLA. - The combination ensures that new applications are not inadvertently left unprotected. -spec: - validationFailureAction: Audit - rules: - - name: k10-validate-ns-by-preset-label - match: - any: - - resources: - kinds: - - Namespace - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.metadata.?labels.?dataprotection.orValue('') in ['gold', 'silver', 'bronze', 'none']" - message: >- - Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: - - "gold" - - "silver" - - "bronze" - - "none" - No local snapshots or backups diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..6a2d17d12 --- /dev/null +++ b/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-3-2-1-backup-policy +status: + ready: true diff --git a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..cc8fc7584 --- /dev/null +++ b/kasten/k10-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-3-2-1-backup +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../k10-3-2-1-backup.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: k10-good-policy.yaml + - apply: + expect: + - check: + ($error != null): true + file: k10-bad-policy.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: k10-3-2-1-backup-policy diff --git a/kasten/kasten-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml b/kasten/k10-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml similarity index 100% rename from kasten/kasten-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml rename to kasten/k10-3-2-1-backup/.chainsaw-test/k10-bad-policy.yaml diff --git a/kasten/kasten-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml b/kasten/k10-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml similarity index 100% rename from kasten/kasten-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml rename to kasten/k10-3-2-1-backup/.chainsaw-test/k10-good-policy.yaml diff --git a/kasten/kasten-3-2-1-backup/.kyverno-test/kasten-backup-policy.yaml b/kasten/k10-3-2-1-backup/.kyverno-test/k10-backup-policy.yaml similarity index 100% rename from kasten/kasten-3-2-1-backup/.kyverno-test/kasten-backup-policy.yaml rename to kasten/k10-3-2-1-backup/.kyverno-test/k10-backup-policy.yaml diff --git a/kasten/k10-3-2-1-backup/.kyverno-test/kyverno-test.yaml b/kasten/k10-3-2-1-backup/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..4afc6e8cf --- /dev/null +++ b/kasten/k10-3-2-1-backup/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests +policies: +- ../k10-3-2-1-backup.yaml +resources: +- k10-backup-policy.yaml +results: +- kind: Policy + policy: k10-3-2-1-backup-policy + resources: + - sample-custom-backup-policy-invalid + result: fail + rule: k10-3-2-1-backup-policy +- kind: Policy + policy: k10-3-2-1-backup-policy + resources: + - sample-custom-backup-policy + result: pass + rule: k10-3-2-1-backup-policy diff --git a/kasten/k10-3-2-1-backup/artifacthub-pkg.yml b/kasten/k10-3-2-1-backup/artifacthub-pkg.yml new file mode 100644 index 000000000..10aa0c9b9 --- /dev/null +++ b/kasten/k10-3-2-1-backup/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-3-2-1-backup +version: 1.0.0 +displayName: Check 3-2-1 Backup Policy +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + The rule of 3-2-1 recommends that you have at least 3 copies of data, on 2 different storage targets, and 1 being offsite. 3-2-1 ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In K8s/K10, this translates to the original StatefulSet (the original PersistentVolumeClaim), a backup (a snapshot of the PVC on prod storage), and an export to cloud object storage (a secondary cloud copy of the PVC snapshot). +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + The rule of 3-2-1 recommends that you have at least 3 copies of data, on 2 different storage targets, and 1 being offsite. 3-2-1 ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In K8s/K10, this translates to the original StatefulSet (the original PersistentVolumeClaim), a backup (a snapshot of the PVC on prod storage), and an export to cloud object storage (a secondary cloud copy of the PVC snapshot). + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Policy" +digest: 59ba16d449fd7ea59307d5609bd3300058a85a1d388df4ddbe8220e66edcb86a diff --git a/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml b/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml new file mode 100644 index 000000000..3166e9bfe --- /dev/null +++ b/kasten/k10-3-2-1-backup/k10-3-2-1-backup.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-3-2-1-backup-policy + annotations: + policies.kyverno.io/title: Check 3-2-1 Backup Policy + policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + The rule of 3-2-1 recommends that you have at least 3 copies of data, on 2 different storage targets, and 1 being offsite. + 3-2-1 ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. + In K8s/K10, this translates to the original StatefulSet (the original PersistentVolumeClaim), a backup (a snapshot of the PVC on prod storage), + and an export to cloud object storage (a secondary cloud copy of the PVC snapshot). +spec: + validationFailureAction: audit + rules: + - name: k10-3-2-1-backup-policy + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + validate: + message: "The rule of 3-2-1 recommends you have 'action: backup' followed by an 'action: export' defined in the backup Policy." + deny: + conditions: + all: + - key: + - backup + - export + operator: AllNotIn + value: "{{ request.object.spec.actions[].action }}" diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..4e8dfe8c2 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-data-protection-by-label +status: + ready: true diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..0848fb895 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,83 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-data-protection-by-label +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../k10-data-protection-by-label.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: deployment-good.yaml + - apply: + file: ss-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployment-bad-badlabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployment-bad-nolabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: ss-bad-badlabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: ss-bad-nolabel.yaml + - name: step-98 + try: + - command: + args: + - delete + - deployments + - --all + - --force + - --grace-period=0 + - -n + - k10-dplabel-ns + entrypoint: kubectl + - command: + args: + - delete + - statefulsets + - --all + - --force + - --grace-period=0 + - -n + - k10-dplabel-ns + entrypoint: kubectl + - command: + args: + - delete + - pods + - --all + - --force + - --grace-period=0 + - -n + - k10-dplabel-ns + entrypoint: kubectl + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: k10-data-protection-by-label diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml new file mode 100644 index 000000000..040ccdb48 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeploy02 + labels: + app: busybox + purpose: production + dataprotection: foo-bar +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" \ No newline at end of file diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml new file mode 100644 index 000000000..c34fd4785 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeploy01 + labels: + app: busybox + purpose: production +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" \ No newline at end of file diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml new file mode 100644 index 000000000..dcf3c489e --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeploy01 + namespace: k10-dplabel-ns + labels: + app: busybox + purpose: production + dataprotection: k10-goldpolicy +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeploy02 + namespace: k10-dplabel-ns + labels: + app: busybox + purpose: development + dataprotection: foo-bar +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeploy03 + namespace: k10-dplabel-ns + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - "sleep" + - "3600" \ No newline at end of file diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml new file mode 100644 index 000000000..566318b81 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml @@ -0,0 +1,31 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: nginx + labels: + name: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: nginx + labels: + app: nginx + purpose: production + dataprotection: none # invalid named K10 Policy!! +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/ns.yaml similarity index 100% rename from kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml rename to kasten/k10-data-protection-by-label/.chainsaw-test/ns.yaml diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml new file mode 100644 index 000000000..cf1a15841 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bad-ss02 + labels: + purpose: production + dataprotection: foo-bar +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml new file mode 100644 index 000000000..397a81231 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bad-ss01 + labels: + purpose: production +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app: busybox + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kasten/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml b/kasten/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml new file mode 100644 index 000000000..bc6216c38 --- /dev/null +++ b/kasten/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-ss01 + namespace: k10-dplabel-ns + labels: + purpose: production + dataprotection: k10-silverpolicy +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-ss02 + namespace: k10-dplabel-ns +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-ss02 + namespace: k10-dplabel-ns + labels: + purpose: development + dataprotection: foo-bar +spec: + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + replicas: 1 + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 \ No newline at end of file diff --git a/kasten-cel/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml b/kasten/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml similarity index 100% rename from kasten-cel/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml rename to kasten/k10-data-protection-by-label/.kyverno-test/kyverno-test.yaml diff --git a/kasten-cel/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml b/kasten/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml similarity index 100% rename from kasten-cel/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml rename to kasten/k10-data-protection-by-label/.kyverno-test/nginx-deployment.yaml diff --git a/kasten/k10-data-protection-by-label/artifacthub-pkg.yml b/kasten/k10-data-protection-by-label/artifacthub-pkg.yml new file mode 100644 index 000000000..fc23cdbe9 --- /dev/null +++ b/kasten/k10-data-protection-by-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-data-protection-by-label +version: 1.0.0 +displayName: Check Data Protection By Label +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-data-protection-by-label/k10-data-protection-by-label.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Deployment, StatefulSet" +digest: 7f4a303a81cd673f876f42a4c8bf74f4d197f0a005907f2b3d09f3745bb749dc diff --git a/kasten/k10-data-protection-by-label/k10-data-protection-by-label.yaml b/kasten/k10-data-protection-by-label/k10-data-protection-by-label.yaml new file mode 100644 index 000000000..03e0606cf --- /dev/null +++ b/kasten/k10-data-protection-by-label/k10-data-protection-by-label.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-data-protection-by-label + annotations: + policies.kyverno.io/title: Check Data Protection By Label + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Deployment, StatefulSet + policies.kyverno.io/description: >- + Check the 'dataprotection' label that production Deployments and StatefulSet have a named K10 Policy. + Use in combination with 'generate' ClusterPolicy to 'generate' a specific K10 Policy by name. +spec: + validationFailureAction: audit + rules: + - name: k10-data-protection-by-label + match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + selector: + matchLabels: + purpose: production + validate: + message: "Deployments and StatefulSets that specify 'dataprotection' label must have a valid k10-?* name (use labels: dataprotection: k10-)" + pattern: + metadata: + labels: + dataprotection: "k10-*" diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml new file mode 100755 index 000000000..1dc53ed2c --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:background-controller:k10-goldbackuppolicy +rules: +- apiGroups: + - config.kio.kasten.io + resources: + - policies + verbs: + - create + - update + - delete diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml new file mode 100755 index 000000000..caaef7d37 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-gp-ns01 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml new file mode 100755 index 000000000..b6693353e --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-gp-ns02 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml new file mode 100755 index 000000000..b6924f910 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-3.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-gp-ns03 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml new file mode 100755 index 000000000..5a136cef6 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-4.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-gp-ns04 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml new file mode 100755 index 000000000..48123e7c6 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-5.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + dataprotection: k10-goldpolicy + purpose: production + name: ss01 + namespace: k10-gp-ns01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml new file mode 100755 index 000000000..4ba469633 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-6.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + dataprotection: k10-goldpolicy + purpose: production + name: deploy01 + namespace: k10-gp-ns02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - command: + - sleep + - "3600" + image: busybox:1.35 + name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml new file mode 100755 index 000000000..68a62ce5f --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-7.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + dataprotection: k10-simplepolicy + purpose: production + name: ss02 + namespace: k10-gp-ns03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + serviceName: busybox-ss + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.35 + name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml new file mode 100755 index 000000000..716709323 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-step-03-apply-8.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + dataprotection: k10-simplepolicy + purpose: production + name: deploy02 + namespace: k10-gp-ns04 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - command: + - sleep + - "3600" + image: busybox:1.35 + name: busybox diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..262ebcd5c --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,85 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-generate-gold-backup-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../k10-generate-gold-backup-policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1.yaml + - apply: + file: chainsaw-step-03-apply-2.yaml + - apply: + file: chainsaw-step-03-apply-3.yaml + - apply: + file: chainsaw-step-03-apply-4.yaml + - apply: + file: chainsaw-step-03-apply-5.yaml + - apply: + file: chainsaw-step-03-apply-6.yaml + - apply: + file: chainsaw-step-03-apply-7.yaml + - apply: + file: chainsaw-step-03-apply-8.yaml + - name: step-04 + try: + - assert: + file: generated-policy.yaml + - error: + file: not-generated-policy.yaml + - name: step-05 + try: + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - k10-gp-ns01 + entrypoint: kubectl + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - k10-gp-ns02 + entrypoint: kubectl + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - k10-gp-ns03 + entrypoint: kubectl + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - k10-gp-ns04 + entrypoint: kubectl diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml new file mode 100644 index 000000000..c6117fc62 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/generated-policy.yaml @@ -0,0 +1,65 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-k10-gp-ns01-gold-backup-policy + namespace: k10-gp-ns01 +spec: + actions: + - action: backup + - action: export + exportParameters: + exportData: + enabled: true + frequency: '@monthly' + profile: + name: object-lock-s3 + namespace: kasten-io + retention: + monthly: 12 + yearly: 5 + comment: K10 "gold" immutable production backup policy + frequency: '@daily' + retention: + daily: 7 + monthly: 12 + weekly: 4 + yearly: 7 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - k10-gp-ns01 +--- +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-k10-gp-ns02-gold-backup-policy + namespace: k10-gp-ns02 +spec: + actions: + - action: backup + - action: export + exportParameters: + exportData: + enabled: true + frequency: '@monthly' + profile: + name: object-lock-s3 + namespace: kasten-io + retention: + monthly: 12 + yearly: 5 + comment: K10 "gold" immutable production backup policy + frequency: '@daily' + retention: + daily: 7 + monthly: 12 + weekly: 4 + yearly: 7 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - k10-gp-ns02 \ No newline at end of file diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml new file mode 100644 index 000000000..8077a9283 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/not-generated-policy.yaml @@ -0,0 +1,65 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-k10-gp-ns03-gold-backup-policy + namespace: k10-gp-ns03 +spec: + actions: + - action: backup + - action: export + exportParameters: + exportData: + enabled: true + frequency: '@monthly' + profile: + name: object-lock-s3 + namespace: kasten-io + retention: + monthly: 12 + yearly: 5 + comment: K10 "gold" immutable production backup policy + frequency: '@daily' + retention: + daily: 7 + monthly: 12 + weekly: 4 + yearly: 7 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - k10-gp-ns03 +--- +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-k10-gp-ns04-gold-backup-policy + namespace: k10-gp-ns04 +spec: + actions: + - action: backup + - action: export + exportParameters: + exportData: + enabled: true + frequency: '@monthly' + profile: + name: object-lock-s3 + namespace: kasten-io + retention: + monthly: 12 + yearly: 5 + comment: K10 "gold" immutable production backup policy + frequency: '@daily' + retention: + daily: 7 + monthly: 12 + weekly: 4 + yearly: 7 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - k10-gp-ns04 diff --git a/kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..47d9d5ff2 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-generate-gold-backup-policy +status: + ready: true \ No newline at end of file diff --git a/kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml b/kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml new file mode 100644 index 000000000..9e671e537 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-generate-gold-backup-policy +version: 1.0.0 +displayName: Generate Gold Backup Policy +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + Generate a backup policy for any Deployment or StatefulSet that adds the labels "dataprotection: k10-goldpolicy" This policy works best to decide the data protection objectives and simply assign backup via application labels. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + Generate a backup policy for any Deployment or StatefulSet that adds the labels "dataprotection: k10-goldpolicy" This policy works best to decide the data protection objectives and simply assign backup via application labels. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Policy" +digest: 9c12e7c601640434411e08b965b408cebd9862cb23760cac545a2a96741036b7 diff --git a/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml b/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml new file mode 100644 index 000000000..f79d0b637 --- /dev/null +++ b/kasten/k10-generate-gold-backup-policy/k10-generate-gold-backup-policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-generate-gold-backup-policy + annotations: + policies.kyverno.io/title: Generate Gold Backup Policy + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + Generate a backup policy for any Deployment or StatefulSet that adds the labels "dataprotection: k10-goldpolicy" + This policy works best to decide the data protection objectives and simply assign backup via application labels. +spec: + background: false + rules: + - name: k10-generate-gold-backup-policy + match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + selector: + matchLabels: + dataprotection: k10-goldpolicy # match with a corresponding ClusterPolicy that checks for this label + generate: + apiVersion: config.kio.kasten.io/v1alpha1 + kind: Policy + name: k10-{{request.namespace}}-gold-backup-policy + namespace: "{{request.namespace}}" + data: + metadata: + name: k10-{{request.namespace}}-gold-backup-policy + namespace: "{{request.namespace}}" + spec: + comment: K10 "gold" immutable production backup policy + frequency: '@daily' + retention: + daily: 7 + weekly: 4 + monthly: 12 + yearly: 7 + actions: + - action: backup + - action: export + exportParameters: + frequency: '@monthly' + profile: + name: object-lock-s3 + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - "{{request.namespace}}" diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-apply-1.yaml diff --git a/kasten-cel/k10-data-protection-by-label/.chainsaw-test/crd-assert.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 100% rename from kasten-cel/k10-data-protection-by-label/.chainsaw-test/crd-assert.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml new file mode 100755 index 000000000..87f813500 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + dataprotection: nothing + name: k10-gp-label-ns04 diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7ac9f3c32 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-generate-policy-by-preset-label +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../k10-generate-policy-by-preset-label.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1.yaml + - apply: + file: chainsaw-step-03-apply-2.yaml + - apply: + file: chainsaw-step-03-apply-3.yaml + - apply: + file: chainsaw-step-03-apply-4.yaml + - apply: + file: chainsaw-step-03-apply-5.yaml + - apply: + file: chainsaw-step-03-apply-6.yaml + - name: step-04 + try: + - assert: + file: generated-policy.yaml + - error: + file: not-generated-policy.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml rename to kasten/k10-generate-policy-by-preset-label/.chainsaw-test/generated-policy.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml new file mode 100644 index 000000000..f938c3623 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml @@ -0,0 +1,39 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-gp-label-ns04-nothing-backup + namespace: kasten-io +spec: + comment: "Auto-generated by Kyverno" + paused: false + actions: + - action: backup + presetRef: + name: nothing + namespace: kasten-io + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - k10-gp-label-ns04 +--- +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: k10-gp-label-ns05-gold-backup + namespace: kasten-io +spec: + comment: "Auto-generated by Kyverno" + paused: false + actions: + - action: backup + presetRef: + name: gold + namespace: kasten-io + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - k10-gp-label-ns05 \ No newline at end of file diff --git a/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..279f86de4 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-generate-policy-by-preset-label +status: + ready: true \ No newline at end of file diff --git a/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml b/kasten/k10-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml rename to kasten/k10-generate-policy-by-preset-label/.kyverno-test/generatedResource.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten/k10-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8ab63d8a9 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,17 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: k10-generate-policy-by-preset-label-test +policies: +- ../k10-generate-policy-by-preset-label.yaml +resources: +- test-resource.yaml +results: +- generatedResource: generatedResource.yaml + kind: Namespace + policy: k10-generate-policy-by-preset-label + resources: + - test-namespace + result: pass + rule: k10-generate-policy-by-preset-label +variables: test-values.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml b/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml similarity index 100% rename from kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml rename to kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml diff --git a/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-values.yaml b/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-values.yaml new file mode 100644 index 000000000..a1dd29ca5 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/.kyverno-test/test-values.yaml @@ -0,0 +1,12 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +policies: +- name: k10-generate-policy-by-preset-label + resources: + - name: test-namespace + values: + request.namespace: test-namespace + rules: + - name: k10-generate-policy-by-preset-label + values: + existingPolicy: 0 diff --git a/kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml new file mode 100644 index 000000000..f2f0a0261 --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-generate-policy-by-preset-label +version: 1.0.0 +displayName: Generate Backup Policy by Preset +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + Generate a K10 backup policy for a namespace that includes a valid "dataprotection" label, if the policy does not already exist. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + Generate a K10 backup policy for a namespace that includes a valid "dataprotection" label, if the policy does not already exist. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Policy" +digest: cf651866d9e5fa4c77b0a7a8d5e816d30624f61816ed199ecdb9b498f097fe06 diff --git a/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml b/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml new file mode 100644 index 000000000..d743c1e7c --- /dev/null +++ b/kasten/k10-generate-policy-by-preset-label/k10-generate-policy-by-preset-label.yaml @@ -0,0 +1,70 @@ +# NOTE: This example assumes that K10 policy presets named "gold", "silver", and "bronze" have been pre-created and K10 was deployed into the `kasten-io` namespace. And the kyverno:generate ClusterRole has been updated with the following additional permissions: +# - apiGroups: +# - config.kio.kasten.io +# resources: +# - policies +# verbs: +# - create +# - update +# - list +# - get +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-generate-policy-by-preset-label + annotations: + policies.kyverno.io/title: Generate Backup Policy by Preset + policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/subject: Policy + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Generate a K10 backup policy for a namespace that includes a valid "dataprotection" label, if the policy does not already exist. +spec: + background: false + rules: + - name: k10-generate-policy-by-preset-label + match: + any: + - resources: + kinds: + - Namespace + selector: + matchExpressions: + - key: dataprotection + operator: In + values: + - gold + - silver + - bronze + context: + - name: existingPolicy + apiCall: + urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies/" # returns list of K10 policies from kasten-io namespace + jmesPath: "items[][[@.spec.presetRef][?name=='{{ request.object.metadata.labels.dataprotection }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a policy based on the dataprotection label value, covering that app namespace already exists + preconditions: + any: + - key: "{{ existingPolicy }}" + operator: Equals + value: 0 # Only generate the policy if it does not already exist + generate: + apiVersion: config.kio.kasten.io/v1alpha1 + kind: Policy + name: "{{ request.namespace }}-{{ request.object.metadata.labels.dataprotection }}-backup" + namespace: kasten-io + data: + spec: + comment: "Auto-generated by Kyverno" + paused: false + actions: + - action: backup + presetRef: + name: "{{ request.object.metadata.labels.dataprotection }}" + namespace: kasten-io + selector: + matchExpressions: + - key: k10.kasten.io/appNamespace + operator: In + values: + - "{{ request.namespace }}" \ No newline at end of file diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..3fa1c7221 --- /dev/null +++ b/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-policy-hourly-rpo +status: + ready: true diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..731fc4183 --- /dev/null +++ b/kasten/k10-hourly-rpo/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-hourly-rpo +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../k10-hourly-rpo.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: k10-good-policy.yaml + - apply: + expect: + - check: + ($error != null): true + file: k10-bad-policy.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: k10-policy-hourly-rpo diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml b/kasten/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml similarity index 100% rename from kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml rename to kasten/k10-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml diff --git a/kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml b/kasten/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml similarity index 100% rename from kasten-cel/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml rename to kasten/k10-hourly-rpo/.chainsaw-test/k10-good-policy.yaml diff --git a/kasten-cel/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml b/kasten/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml similarity index 100% rename from kasten-cel/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml rename to kasten/k10-hourly-rpo/.kyverno-test/backup-export-policy.yaml diff --git a/kasten-cel/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml b/kasten/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml similarity index 100% rename from kasten-cel/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml rename to kasten/k10-hourly-rpo/.kyverno-test/kyverno-test.yaml diff --git a/kasten/k10-hourly-rpo/artifacthub-pkg.yml b/kasten/k10-hourly-rpo/artifacthub-pkg.yml new file mode 100644 index 000000000..c16fb3023 --- /dev/null +++ b/kasten/k10-hourly-rpo/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-hourly-rpo +version: 1.0.0 +displayName: Check Hourly RPO +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Policy" +digest: 8be5a4f3ab8198e567ab442b59755c08bbb0ef72ff340a5c52821199c7ee80fa diff --git a/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml b/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml new file mode 100644 index 000000000..05515c682 --- /dev/null +++ b/kasten/k10-hourly-rpo/k10-hourly-rpo.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-policy-hourly-rpo + annotations: + policies.kyverno.io/title: Check Hourly RPO + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + K10 Policy resources can be educated to adhere to common Recovery Point Objective (RPO) best practices. + This policy is advising to use an RPO frequency that with hourly granularity if it has the appPriority: Mission Critical +spec: + validationFailureAction: audit + rules: + - name: k10-policy-hourly-rpo + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + selector: + matchLabels: + appPriority: Mission-Critical + validate: + message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" + pattern: + spec: + frequency: '@hourly' # In K10, this is checking Hourly at the action: backup level. By default, any action: export will use the action: backup frequency. + diff --git a/kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml b/kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml new file mode 100644 index 000000000..642281873 --- /dev/null +++ b/kasten/k10-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml @@ -0,0 +1,367 @@ +# Standard Kubernetes API Version declaration. Required. +apiVersion: config.kio.kasten.io/v1alpha1 +# Standard Kubernetes Kind declaration. Required. +kind: Profile +# Standard Kubernetes metadata. Required. +metadata: + # Profile name. May be any valid Kubernetes object name. Required. + # Profile name is not mutable once created. + name: sample-location-profile + # Profile namespace. Required. Must be namespace where K10 is installed + namespace: kasten-io +# Profile parameters. Required. +spec: + # Type of Profile. Required + # Valid values are Location, Kanister, Infra + type: Location + + # Only one of the profile type sections can be specified + # NOTE: camelCasing of the key is important + locationSpec: + # Credentials associated with profile location. Required. + credential: + # Type of secret being specified. Required. + # Valid values are: + # # AwsAccessKey (Amazon S3 and Generic S3) + # # GcpServiceAccountKey (Google Cloud Storage) + # # AzStorageAccount (Azure Storage) + # # VBRKey (Veeam Backup & Replication Storage) + secretType: AwsAccessKey + # Reference to K8s secret with credentials of secretType. Required. + secret: + # Standard Kubernetes API Version. Must be 'v1'. Required. + apiVersion: v1 + # Standard Kubernetes Kind declaration. Must be 'secret'. Required. + kind: secret + # Secret name. May be any valid Kubernetes secret name. Required. + name: sample-profile-secret + # Secret namespace. Must be K10 installed namespace . Required. + namespace: kasten-io + # Location for profile data. Required. + location: + # Type of location being specified. Required. + # Valid values are ObjectStore, FileStore, VBR + locationType: ObjectStore + # When the type above is ObjectStore. Required. + # Only one of the location type sections can be specified + objectStore: + # Type of object store. Required + # Valid values are: + # # S3 (Amazon S3 and Generic S3) + # # GCS (Google Cloud Storage) + # # Azure (Azure Storage) + objectStoreType: S3 + # The endpoint for object store API. Optional. + # Can be omitted unless an S3 compatible provider is used. + endpoint: '' + # If set to true, do not verify SSL cert. Optional. + # Default, when omitted, is false + skipSSLVerify: false + # Name of the object store bucket. Required + name: gmm-test + # Region valid for the object store provider. + # Required, if supported by provider. + # If provider does not support region, pass "" + region: us-east-2 + # Path within bucket for profile artifacts. Optional. + # If not used, it will be generated by the system and + # updated during delayed initialization and validation. + # If used, it requires pathType below as well. + path: k10/q4ees3b2zilluaxw/migration + # Type of the path within the bucket above. Optional. + # Defaults to Directory if not specified. + pathType: Directory + # The protection period for immutable backups. Optional. + # Must be shorter than the bucket default retention + # period minus 20 days. + protectionPeriod: 2H + # When the type above is FileStore. Required. + # Only one of the location type sections can be specified + fileStore: + # Name of the Persistent Volume Claim. Required. + claimName: test-pvc + # Path within the PVC mount for profile artifacts. Optional. + # If not used, it will be generated by the system and + # updated during delayed initialization and validation. + path: k10/q4ees3b2zilluaxw/migration + # When the type above is VBR. Required. + # Only one of the location type sections can be specified + vbr: + # Address of the Veeam backup server. Required. + serverAddress: vbr-server + # VBR server RESTful API port number. Optional. + # Defaults to 9419 if not specified. + serverPort: 9419 + # Name of the target Veeam cloud repository for backup files. Required. + repoName: k10-repo + # Identifier of the target Veeam cloud repository for backup files. Optional. + # Reserved field for internal use. Once the profile is created, + # this field will contain the ID of the repository specified in the repoName field. + repoId: 123e4567-e89b-12d3-a456-426614174000 + # If set to true, do not verify SSL cert. Optional. + # Default, when omitted, is false. + skipSSLVerify: false + # Optional: Make export to this profile infra-portable. + # Default: false + infraPortable: false + + # When type above is Kanister - Kanister profile. Required. + # Only one of the profile type sections can be specified + # K10 currently only uses the oldest valid Kanister profile + # NOTE: camelCasing of the key is important + kanister: + # Credentials associated with profile location. Required. + credential: + # same content as credential in location above + # Location for profile data. Required. + location: + # same content as location in location above + + # When type above is Infra - Infrastructure profile. Required. + # Only one of the following profile type sections can be specified + # NOTE: camelCasing of the key is important + infra: + # type of Infrastructure profile. Required + # Valid values are OpenStack, Ceph, Portworx, VSphere, or GCP + type: OpenStack + # When type of this Infra profile above is OpenStack. Required. + # Only one of the following infra profiles can be specified + # NOTE: camelCasing of the key is important + openStack: + # Endpoint for the Keystone auth provider. Required + keystoneEndpoint: https://my-keystone-ip:1234 + + # When type of this Infra profile above is OpenStack. Required. + # Only one of the following infra profiles can be specified + # NOTE: camelCasing of the key is important + ceph: + # Endpoint for the Ceph monitor to be used. Required. + monitor: 10.0.0.10:6789 + # Name of the Ceph pool associated with this profile. Required. + pool: my-ceph-pool + portworx: + # The namespace of the Portworx service. + namespace: kube-system + # The name of the Portworx service. + serviceName: portworx-service + vsphere: + # The vSphere endpoint + serverAddress: vsphere.server.com + # Enable vSphere snapshot tagging + taggingEnabled: true + # The Category Name, automatically set when tagging is enabled. + categoryName: exampleCategory + # Credentials associated with the infrastructure provider. Required. + credential: + # Type of secret being specified. Required. + # Valid values are: + # # OpenStackAccount (OpenStack storage provider) + # # CephKeyring (Ceph storage provider) + # # PortworxKey (Portworx storage provider) + # # VSphereKey (vSphere storage provider) + # # GcpServiceAccountKey (GCP/GCS storage provider) + secretType: OpenStackAccount + # Reference to K8s secret with credentials of secretType. Required. + secret: + # Same format as above + # ##################### +# Status of the Profile. Users should not set any data here. +status: + # Validation status of the Profile + # Valid values are: + # # Pending - profile has been created + # # Running - undergoing initialization and validation + # # Success - successfully initialized and validated + # # Failed - not properly initialized on validated + # Only profiles which have status of Success should be used + validation: Success + # An array of any validation or initialization errors encountered. + error: null + # Hash of the spec portion of the profile. + # Used internally to determine when successfully validated profiles + # need to be reprocessed. + hash: 3369880242 +--- +# Standard Kubernetes API Version declaration. Required. +apiVersion: config.kio.kasten.io/v1alpha1 +# Standard Kubernetes Kind declaration. Required. +kind: Profile +# Standard Kubernetes metadata. Required. +metadata: + # Profile name. May be any valid Kubernetes object name. Required. + # Profile name is not mutable once created. + name: sample-location-profile-invalid + # Profile namespace. Required. Must be namespace where K10 is installed + namespace: kasten-io +# Profile parameters. Required. +spec: + # Type of Profile. Required + # Valid values are Location, Kanister, Infra + type: Location + + # Only one of the profile type sections can be specified + # NOTE: camelCasing of the key is important + locationSpec: + # Credentials associated with profile location. Required. + credential: + # Type of secret being specified. Required. + # Valid values are: + # # AwsAccessKey (Amazon S3 and Generic S3) + # # GcpServiceAccountKey (Google Cloud Storage) + # # AzStorageAccount (Azure Storage) + # # VBRKey (Veeam Backup & Replication Storage) + secretType: AwsAccessKey + # Reference to K8s secret with credentials of secretType. Required. + secret: + # Standard Kubernetes API Version. Must be 'v1'. Required. + apiVersion: v1 + # Standard Kubernetes Kind declaration. Must be 'secret'. Required. + kind: secret + # Secret name. May be any valid Kubernetes secret name. Required. + name: sample-profile-secret + # Secret namespace. Must be K10 installed namespace . Required. + namespace: kasten-io + # Location for profile data. Required. + location: + # Type of location being specified. Required. + # Valid values are ObjectStore, FileStore, VBR + locationType: ObjectStore + # When the type above is ObjectStore. Required. + # Only one of the location type sections can be specified + objectStore: + # Type of object store. Required + # Valid values are: + # # S3 (Amazon S3 and Generic S3) + # # GCS (Google Cloud Storage) + # # Azure (Azure Storage) + objectStoreType: S3 + # The endpoint for object store API. Optional. + # Can be omitted unless an S3 compatible provider is used. + endpoint: '' + # If set to true, do not verify SSL cert. Optional. + # Default, when omitted, is false + skipSSLVerify: false + # Name of the object store bucket. Required + name: gmm-test + # Region valid for the object store provider. + # Required, if supported by provider. + # If provider does not support region, pass "" + region: us-east-2 + # Path within bucket for profile artifacts. Optional. + # If not used, it will be generated by the system and + # updated during delayed initialization and validation. + # If used, it requires pathType below as well. + path: k10/q4ees3b2zilluaxw/migration + # Type of the path within the bucket above. Optional. + # Defaults to Directory if not specified. + pathType: Directory + # The protection period for immutable backups. Optional. + # Must be shorter than the bucket default retention + # period minus 20 days. + #protectionPeriod: 2H + # When the type above is FileStore. Required. + # Only one of the location type sections can be specified + fileStore: + # Name of the Persistent Volume Claim. Required. + claimName: test-pvc + # Path within the PVC mount for profile artifacts. Optional. + # If not used, it will be generated by the system and + # updated during delayed initialization and validation. + path: k10/q4ees3b2zilluaxw/migration + # When the type above is VBR. Required. + # Only one of the location type sections can be specified + vbr: + # Address of the Veeam backup server. Required. + serverAddress: vbr-server + # VBR server RESTful API port number. Optional. + # Defaults to 9419 if not specified. + serverPort: 9419 + # Name of the target Veeam cloud repository for backup files. Required. + repoName: k10-repo + # Identifier of the target Veeam cloud repository for backup files. Optional. + # Reserved field for internal use. Once the profile is created, + # this field will contain the ID of the repository specified in the repoName field. + repoId: 123e4567-e89b-12d3-a456-426614174000 + # If set to true, do not verify SSL cert. Optional. + # Default, when omitted, is false. + skipSSLVerify: false + # Optional: Make export to this profile infra-portable. + # Default: false + infraPortable: false + + # When type above is Kanister - Kanister profile. Required. + # Only one of the profile type sections can be specified + # K10 currently only uses the oldest valid Kanister profile + # NOTE: camelCasing of the key is important + kanister: + # Credentials associated with profile location. Required. + credential: + # same content as credential in location above + # Location for profile data. Required. + location: + # same content as location in location above + + # When type above is Infra - Infrastructure profile. Required. + # Only one of the following profile type sections can be specified + # NOTE: camelCasing of the key is important + infra: + # type of Infrastructure profile. Required + # Valid values are OpenStack, Ceph, Portworx, VSphere, or GCP + type: OpenStack + # When type of this Infra profile above is OpenStack. Required. + # Only one of the following infra profiles can be specified + # NOTE: camelCasing of the key is important + openStack: + # Endpoint for the Keystone auth provider. Required + keystoneEndpoint: https://my-keystone-ip:1234 + + # When type of this Infra profile above is OpenStack. Required. + # Only one of the following infra profiles can be specified + # NOTE: camelCasing of the key is important + ceph: + # Endpoint for the Ceph monitor to be used. Required. + monitor: 10.0.0.10:6789 + # Name of the Ceph pool associated with this profile. Required. + pool: my-ceph-pool + portworx: + # The namespace of the Portworx service. + namespace: kube-system + # The name of the Portworx service. + serviceName: portworx-service + vsphere: + # The vSphere endpoint + serverAddress: vsphere.server.com + # Enable vSphere snapshot tagging + taggingEnabled: true + # The Category Name, automatically set when tagging is enabled. + categoryName: exampleCategory + # Credentials associated with the infrastructure provider. Required. + credential: + # Type of secret being specified. Required. + # Valid values are: + # # OpenStackAccount (OpenStack storage provider) + # # CephKeyring (Ceph storage provider) + # # PortworxKey (Portworx storage provider) + # # VSphereKey (vSphere storage provider) + # # GcpServiceAccountKey (GCP/GCS storage provider) + secretType: OpenStackAccount + # Reference to K8s secret with credentials of secretType. Required. + secret: + # Same format as above + # ##################### +# Status of the Profile. Users should not set any data here. +status: + # Validation status of the Profile + # Valid values are: + # # Pending - profile has been created + # # Running - undergoing initialization and validation + # # Success - successfully initialized and validated + # # Failed - not properly initialized on validated + # Only profiles which have status of Success should be used + validation: Success + # An array of any validation or initialization errors encountered. + error: null + # Hash of the spec portion of the profile. + # Used internally to determine when successfully validated profiles + # need to be reprocessed. + hash: 3369880242 \ No newline at end of file diff --git a/kasten/k10-immutable-location-profile/.kyverno-test/kyverno-test.yaml b/kasten/k10-immutable-location-profile/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..727282086 --- /dev/null +++ b/kasten/k10-immutable-location-profile/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests +policies: +- ../k10-immutable-location-profile.yaml +resources: +- immutable-location-profile.yaml +results: +- kind: Profile + policy: k10-immutable-location-profile + resources: + - sample-location-profile-invalid + result: fail + rule: k10-immutable-location-profile +- kind: Profile + policy: k10-immutable-location-profile + resources: + - sample-location-profile + result: pass + rule: k10-immutable-location-profile diff --git a/kasten/k10-immutable-location-profile/artifacthub-pkg.yml b/kasten/k10-immutable-location-profile/artifacthub-pkg.yml new file mode 100644 index 000000000..03e24efee --- /dev/null +++ b/kasten/k10-immutable-location-profile/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-immutable-location-profile +version: 1.0.0 +displayName: Check Immutable Location Profile +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. Immutability is typically not enabled by default due to the increased costs of retaining storage. This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. Immutability is typically not enabled by default due to the increased costs of retaining storage. This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Profile" +digest: f76aedc9c9e5b48c5148aad39e28a73cfe5cab2a378c9046be1ca1e3b4592ba2 diff --git a/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml b/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml new file mode 100644 index 000000000..e3c027980 --- /dev/null +++ b/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-immutable-location-profile + annotations: + policies.kyverno.io/title: Check Immutable Location Profile + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Profile + policies.kyverno.io/description: >- + K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. + AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. + Immutability is typically not enabled by default due to the increased costs of retaining storage. + This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability. +spec: + validationFailureAction: audit + rules: + - name: k10-immutable-location-profile + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Profile + validate: + message: "Location Profile is not immutable (err: did not configure 'protectionPeriod')" + pattern: + spec: + type: Location + locationSpec: + location: + locationType: ObjectStore + objectStore: + protectionPeriod: "?*" # any value determines immutability is enabled diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/README.md b/kasten/k10-minimum-retention/.chainsaw-test/README.md similarity index 100% rename from kasten/kasten-minimum-retention/.chainsaw-test/README.md rename to kasten/k10-minimum-retention/.chainsaw-test/README.md diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-minimum-retention/.chainsaw-test/chainsaw-step-01-assert-1.yaml similarity index 100% rename from kasten/kasten-minimum-retention/.chainsaw-test/chainsaw-step-01-assert-1.yaml rename to kasten/k10-minimum-retention/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/kasten/k10-minimum-retention/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-minimum-retention/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..1be440945 --- /dev/null +++ b/kasten/k10-minimum-retention/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-minimum-retention +spec: + steps: + - name: step-01 + try: + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: ../k10-minimum-retention.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: kuttlresource.yaml + - assert: + file: resource-mutated.yaml diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/kuttlresource.yaml b/kasten/k10-minimum-retention/.chainsaw-test/kuttlresource.yaml similarity index 95% rename from kasten/kasten-minimum-retention/.chainsaw-test/kuttlresource.yaml rename to kasten/k10-minimum-retention/.chainsaw-test/kuttlresource.yaml index 7bb8254fc..9f139aaba 100644 --- a/kasten/kasten-minimum-retention/.chainsaw-test/kuttlresource.yaml +++ b/kasten/k10-minimum-retention/.chainsaw-test/kuttlresource.yaml @@ -2,7 +2,7 @@ apiVersion: config.kio.kasten.io/v1alpha1 kind: Policy metadata: name: hourly-policy - namespace: kasten-minimum-retention + namespace: k10-minimum-retention labels: appPriority: Mission-Critical spec: diff --git a/kasten/k10-minimum-retention/.chainsaw-test/ns.yaml b/kasten/k10-minimum-retention/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..6ff7e7310 --- /dev/null +++ b/kasten/k10-minimum-retention/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-minimum-retention \ No newline at end of file diff --git a/kasten/k10-minimum-retention/.chainsaw-test/policy-ready.yaml b/kasten/k10-minimum-retention/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..99fd5a77e --- /dev/null +++ b/kasten/k10-minimum-retention/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-minimum-retention +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/resource-mutated.yaml b/kasten/k10-minimum-retention/.chainsaw-test/resource-mutated.yaml similarity index 95% rename from kasten/kasten-minimum-retention/.chainsaw-test/resource-mutated.yaml rename to kasten/k10-minimum-retention/.chainsaw-test/resource-mutated.yaml index 569de9cf8..171754953 100644 --- a/kasten/kasten-minimum-retention/.chainsaw-test/resource-mutated.yaml +++ b/kasten/k10-minimum-retention/.chainsaw-test/resource-mutated.yaml @@ -5,7 +5,7 @@ metadata: labels: appPriority: Mission-Critical name: hourly-policy - namespace: kasten-minimum-retention + namespace: k10-minimum-retention spec: actions: - action: backup diff --git a/kasten/k10-minimum-retention/.kyverno-test/backup-export-policy.yaml b/kasten/k10-minimum-retention/.kyverno-test/backup-export-policy.yaml new file mode 100644 index 000000000..6abb9a37f --- /dev/null +++ b/kasten/k10-minimum-retention/.kyverno-test/backup-export-policy.yaml @@ -0,0 +1,36 @@ +# An example compliant K10 Policy +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: hourly-policy + namespace: kasten-io + labels: + appPriority: Mission-Critical +spec: + comment: My sample custom backup policy + frequency: '@hourly' # change this to @daily to test the 'audit_mission_critical_RPO' policy + subFrequency: + minutes: [30] + hours: [22,7] + weekdays: [5] + days: [15] + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export # comment this line out to test 'enforce_3-2-1' policy + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/kasten/k10-minimum-retention/.kyverno-test/kyverno-test.yaml b/kasten/k10-minimum-retention/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c6b85cb42 --- /dev/null +++ b/kasten/k10-minimum-retention/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests +policies: +- ../k10-minimum-retention.yaml +resources: +- backup-export-policy.yaml +results: +- kind: Policy + patchedResource: patched.yaml + policy: k10-minimum-retention + resources: + - hourly-policy + result: pass + rule: k10-minimum-retention diff --git a/kasten/kasten-minimum-retention/.kyverno-test/patched.yaml b/kasten/k10-minimum-retention/.kyverno-test/patched.yaml similarity index 100% rename from kasten/kasten-minimum-retention/.kyverno-test/patched.yaml rename to kasten/k10-minimum-retention/.kyverno-test/patched.yaml diff --git a/kasten/k10-minimum-retention/artifacthub-pkg.yml b/kasten/k10-minimum-retention/artifacthub-pkg.yml new file mode 100644 index 000000000..de205e415 --- /dev/null +++ b/kasten/k10-minimum-retention/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-minimum-retention +version: 1.0.0 +displayName: Minimum Backup Retention +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + K10 Policy resources can be validated to adhere to common compliance retention standards. Uncomment the regulation/compliance standards you want to enforce for according to GFS retention. This policy deletes the retention value in the backup operation and replaces it with the specified retention. Note: K10 Policy uses the GFS retention scheme and export operations default to use the retention of the backup operation. To use different This policy can also be used go reduce retentions lengths to enforce cost optimization. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-minimum-retention/k10-minimum-retention.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + K10 Policy resources can be validated to adhere to common compliance retention standards. Uncomment the regulation/compliance standards you want to enforce for according to GFS retention. This policy deletes the retention value in the backup operation and replaces it with the specified retention. Note: K10 Policy uses the GFS retention scheme and export operations default to use the retention of the backup operation. To use different This policy can also be used go reduce retentions lengths to enforce cost optimization. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.21-1.22" + kyverno/subject: "Policy" +digest: f7d09195f6c8982f0075c866b0480626a3fbf4fd352130ae0a1be86abb79c2b7 diff --git a/kasten/k10-minimum-retention/k10-minimum-retention.yaml b/kasten/k10-minimum-retention/k10-minimum-retention.yaml new file mode 100644 index 000000000..a7535c298 --- /dev/null +++ b/kasten/k10-minimum-retention/k10-minimum-retention.yaml @@ -0,0 +1,73 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-minimum-retention + annotations: + policies.kyverno.io/title: Minimum Backup Retention + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + K10 Policy resources can be validated to adhere to common compliance retention standards. + Uncomment the regulation/compliance standards you want to enforce for according to GFS retention. + This policy deletes the retention value in the backup operation and replaces it with the specified retention. + Note: K10 Policy uses the GFS retention scheme and export operations default to use the retention of the backup operation. + To use different + This policy can also be used go reduce retentions lengths to enforce cost optimization. +spec: + schemaValidation: false + rules: + - name: k10-minimum-retention + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + mutate: + # Federal Information Security Management Act (FISMA): 3 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} + + # Health Insurance Portability and Accountability Act (HIPAA): 6 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":6} + + # National Energy Commission (NERC): 3 to 6 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} + + # Basel II Capital Accord: 3 to 7 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} + + # Sarbanes-Oxley Act of 2002 (SOX): 7 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":7} + + # National Industrial Security Program Operating Manual (NISPOM): 6 to 12 Months + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":6} + + # Cost Optimization (Maximum Retention: 3 Months) + patchesJson6902: |- + - path: "/spec/retention" + op: replace + value: + hourly: 24 + daily: 30 + weekly: 4 + monthly: 3 diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..27e86f51b --- /dev/null +++ b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-validate-ns-by-preset-label +status: + ready: true diff --git a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml similarity index 100% rename from kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml rename to kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-2.yaml diff --git a/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..6646694e3 --- /dev/null +++ b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: k10-validate-ns-by-preset-label +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../k10-validate-ns-by-preset-label.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - assert: + file: chainsaw-step-01-assert-2.yaml + - name: step-02 + try: + - apply: + file: ns-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: k10-validate-ns-by-preset-label diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml similarity index 100% rename from kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml rename to kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml b/kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml similarity index 100% rename from kasten-cel/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml rename to kasten/k10-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml similarity index 100% rename from kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml rename to kasten/k10-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml diff --git a/kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml b/kasten/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml similarity index 100% rename from kasten-cel/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml rename to kasten/k10-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml diff --git a/kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml new file mode 100644 index 000000000..974e820f5 --- /dev/null +++ b/kasten/k10-validate-ns-by-preset-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: k10-validate-ns-by-preset-label +version: 1.0.0 +displayName: Validate Data Protection by Preset Label +createdAt: "2023-04-10T20:12:53.000Z" +description: >- + Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml + ``` +keywords: + - kyverno + - Kasten K10 by Veeam +readme: | + Kubernetes applications are typically deployed into a single, logical namespace. Kasten K10 policies will discover and protect all resources within the selected namespace(s). This policy ensures all new namespaces include a label referencing a valid K10 SLA (Policy Preset) for data protection. This policy can be used in combination with generate ClusterPolicy to automatically create a K10 policy based on the specified SLA. The combination ensures that new applications are not inadvertently left unprotected. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Kasten K10 by Veeam" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Namespace" +digest: 0c7cc8aa1bf25584958af7ff3fedfa8cae398b7cde007ea73cf0a7653447e454 diff --git a/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml b/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml new file mode 100644 index 000000000..5cb0e82b1 --- /dev/null +++ b/kasten/k10-validate-ns-by-preset-label/k10-validate-ns-by-preset-label.yaml @@ -0,0 +1,40 @@ +#NOTE: This example assumes that K10 policy presets named "gold", "silver", and "bronze" have been pre-created and K10 was deployed into the `kasten-io` namespace. +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-validate-ns-by-preset-label + annotations: + policies.kyverno.io/title: Validate Data Protection by Preset Label + policies.kyverno.io/category: Kasten K10 by Veeam + policies.kyverno.io/subject: Namespace + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Kubernetes applications are typically deployed into a single, logical namespace. + Kasten K10 policies will discover and protect all resources within the selected namespace(s). + This policy ensures all new namespaces include a label referencing a valid K10 SLA + (Policy Preset) for data protection.This policy can be used in combination with generate + ClusterPolicy to automatically create a K10 policy based on the specified SLA. + The combination ensures that new applications are not inadvertently left unprotected. +spec: + validationFailureAction: Audit + rules: + - name: k10-validate-ns-by-preset-label + match: + any: + - resources: + kinds: + - Namespace + validate: + message: >- + Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten K10 SLA: + + "gold" - + "silver" - + "bronze" - + "none" - No local snapshots or backups + pattern: + metadata: + labels: + dataprotection: gold|silver|bronze|none \ No newline at end of file diff --git a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index e553bb9cd..000000000 --- a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-3-2-1-backup-policy -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 3e4059a14..000000000 --- a/kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: kasten-3-2-1-backup -spec: - steps: - - name: step-01 - try: - - apply: - file: ../kasten-3-2-1-backup.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: kasten-3-2-1-backup-policy - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: k10-good-policy.yaml - - apply: - expect: - - check: - ($error != null): true - file: k10-bad-policy.yaml diff --git a/kasten/kasten-3-2-1-backup/.kyverno-test/kyverno-test.yaml b/kasten/kasten-3-2-1-backup/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 65fdb0a26..000000000 --- a/kasten/kasten-3-2-1-backup/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kyverno_data_protection_tests -policies: -- ../kasten-3-2-1-backup.yaml -resources: -- kasten-backup-policy.yaml -results: -- kind: Policy - policy: kasten-3-2-1-backup-policy - resources: - - sample-custom-backup-policy-invalid - result: fail - rule: kasten-3-2-1-backup-policy -- kind: Policy - policy: kasten-3-2-1-backup-policy - resources: - - sample-custom-backup-policy - result: pass - rule: kasten-3-2-1-backup-policy diff --git a/kasten/kasten-3-2-1-backup/artifacthub-pkg.yml b/kasten/kasten-3-2-1-backup/artifacthub-pkg.yml deleted file mode 100644 index 7e939214b..000000000 --- a/kasten/kasten-3-2-1-backup/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: kasten-3-2-1-backup -version: 1.0.1 -displayName: Check Kasten 3-2-1 Backup Policy -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. - This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. - - This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.24-1.30" - kyverno/subject: "Policy" -digest: ae3f8af7d3708b5bcbc4e0a5fb368f5100441a85923dad8f096b367f279462a4 diff --git a/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml b/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml deleted file mode 100644 index 6dcb48468..000000000 --- a/kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-3-2-1-backup-policy - annotations: - policies.kyverno.io/title: Check Kasten 3-2-1 Backup Policy - policies.kyverno.io/category: Veeam Kasten - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.12.0 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository. - This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'. -spec: - validationFailureAction: Audit - rules: - - name: kasten-3-2-1-backup-policy - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - exclude: - any: - - resources: - operations: - - DELETE - validate: - message: "The Kasten 3-2-1 policy requires both 'action: backup' and 'action: export' be defined in the Policy." - deny: - conditions: - all: - - key: - - backup - - export - operator: AnyNotIn - value: "{{ request.object.spec.actions[].action }}" diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index c77a33a63..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-data-protection-by-label -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index ce89f5974..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: kasten-data-protection-by-label -spec: - steps: - - name: step-01 - try: - - apply: - file: ../kasten-data-protection-by-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: kasten-data-protection-by-label - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: deployment-good.yaml - - apply: - file: ss-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: deployment-bad-badlabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: deployment-bad-nolabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: ss-bad-badlabel.yaml - - apply: - expect: - - check: - ($error != null): true - file: ss-bad-nolabel.yaml - - name: step-98 - try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n k10-dplabel-ns - - script: - content: kubectl delete statefulsets --all --force --grace-period=0 -n k10-dplabel-ns - - script: - content: kubectl delete pods --all --force --grace-period=0 -n k10-dplabel-ns diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml deleted file mode 100644 index 36bd362a8..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-badlabel.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy02 - labels: - app: busybox - purpose: production - dataprotection: foo-bar -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml deleted file mode 100644 index b73ff7aaf..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-bad-nolabel.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy01 - labels: - app: busybox - purpose: production -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml deleted file mode 100644 index 371bd292d..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy01 - namespace: k10-dplabel-ns - labels: - app: busybox - purpose: production - dataprotection: kasten-example -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy02 - namespace: k10-dplabel-ns - labels: - app: busybox - purpose: development - dataprotection: foo-bar -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy03 - namespace: k10-dplabel-ns - labels: - app: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml deleted file mode 100644 index 58b3482d5..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/nginx-deployment-invalid.yaml +++ /dev/null @@ -1,31 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: nginx - labels: - name: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment - namespace: nginx - labels: - app: nginx - purpose: production - dataprotection: none # invalid named K10 Policy!! -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: ghcr.io/kyverno/test-nginx:1.14.2 - ports: - - containerPort: 80 diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ns.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ns.yaml deleted file mode 100644 index 00e9c20e7..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-dplabel-ns \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml deleted file mode 100644 index 902760bcf..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-badlabel.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: bad-ss02 - labels: - purpose: production - dataprotection: foo-bar -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml deleted file mode 100644 index a710806fe..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-bad-nolabel.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: bad-ss01 - labels: - purpose: production -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml b/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml deleted file mode 100644 index 4359ca760..000000000 --- a/kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss01 - namespace: k10-dplabel-ns - labels: - purpose: production - dataprotection: kasten-example -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss02 - namespace: k10-dplabel-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss02 - namespace: k10-dplabel-ns - labels: - purpose: development - dataprotection: foo-bar -spec: - selector: - matchLabels: - app: busybox - serviceName: busybox-ss - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.kyverno-test/kyverno-test.yaml b/kasten/kasten-data-protection-by-label/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 6476031b7..000000000 --- a/kasten/kasten-data-protection-by-label/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kyverno_data_protection_tests -policies: -- ../kasten-data-protection-by-label.yaml -resources: -- nginx-deployment.yaml -results: -- kind: Deployment - policy: kasten-data-protection-by-label - resources: - - nginx-deployment-invalid - result: fail - rule: kasten-data-protection-by-label -- kind: Deployment - policy: kasten-data-protection-by-label - resources: - - nginx-deployment-pass - result: pass - rule: kasten-data-protection-by-label -- kind: Deployment - policy: kasten-data-protection-by-label - resources: - - nginx-deployment-none - result: pass - rule: kasten-data-protection-by-label -- kind: Deployment - policy: kasten-data-protection-by-label - resources: - - nginx-deployment-skipped - result: skip - rule: kasten-data-protection-by-label \ No newline at end of file diff --git a/kasten/kasten-data-protection-by-label/.kyverno-test/nginx-deployment.yaml b/kasten/kasten-data-protection-by-label/.kyverno-test/nginx-deployment.yaml deleted file mode 100644 index b3f7adf08..000000000 --- a/kasten/kasten-data-protection-by-label/.kyverno-test/nginx-deployment.yaml +++ /dev/null @@ -1,100 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment-pass - namespace: nginx - labels: - app: nginx - purpose: production - dataprotection: kasten-example - immutable: enabled -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment-none - namespace: nginx - labels: - app: nginx - purpose: production - dataprotection: none -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment-invalid - namespace: nginx - labels: - app: nginx - purpose: production - dataprotection: invalid -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment-skipped - namespace: nginx - labels: - app: nginx - purpose: test - dataprotection: kasten-example -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 diff --git a/kasten/kasten-data-protection-by-label/artifacthub-pkg.yml b/kasten/kasten-data-protection-by-label/artifacthub-pkg.yml deleted file mode 100644 index ae58b9e7f..000000000 --- a/kasten/kasten-data-protection-by-label/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: kasten-data-protection-by-label -version: 1.0.1 -displayName: Check Data Protection By Label -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Check the 'dataprotection' label for production Deployments and StatefulSet workloads. - Use in combination with 'kasten-generate-example-backup-policy' policy to generate a Kasten policy for the workload namespace, if it doesn't already exist. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Check the 'dataprotection' label for production Deployments and StatefulSet workloads. - - Use in combination with 'kasten-generate-example-backup-policy' policy to generate a Kasten policy for the workload namespace, if it doesn't already exist. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.24-1.30" - kyverno/subject: "Deployment, StatefulSet" -digest: 8751cca18f18d7a2cd1b923e84b805580af363b1aff8766fc4f3f231d6026601 diff --git a/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml b/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml deleted file mode 100644 index 3db97db3b..000000000 --- a/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-data-protection-by-label - annotations: - policies.kyverno.io/title: Check Data Protection By Label - policies.kyverno.io/category: Veeam Kasten - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/subject: Deployment, StatefulSet - policies.kyverno.io/description: >- - Check the 'dataprotection' label for production Deployments and StatefulSet workloads. - Use in combination with 'kasten-generate-example-backup-policy' policy to generate a Kasten policy for the workload namespace, if it doesn't already exist. -spec: - validationFailureAction: Audit - rules: - - name: kasten-data-protection-by-label - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - selector: - matchLabels: - purpose: production - validate: - message: >- - "Deployments and StatefulSets with 'purpose=production' label must specify a valid 'dataprotection' label: - - "dataprotection=kasten-example" - - "dataprotection=none" - No local snapshots or backups - pattern: - metadata: - labels: - dataprotection: "kasten-example|none" diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml deleted file mode 100644 index 650b634e5..000000000 --- a/kasten/kasten-generate-example-backup-policy/.kyverno-test/generatedResource.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: test-namespace-kasten-example-policy - namespace: kasten-io -spec: - comment: "Auto-generated by Kyverno" - frequency: '@daily' - retention: - daily: 7 - weekly: 4 - monthly: 12 - yearly: 7 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@daily' - profile: - name: test - namespace: kasten-io - exportData: - enabled: true - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - test-namespace \ No newline at end of file diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 9d1cde8a9..000000000 --- a/kasten/kasten-generate-example-backup-policy/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kasten-generate-example-backup-policy-test -policies: -- ../kasten-generate-example-backup-policy.yaml -resources: -- test-resource.yaml -results: -- generatedResource: generatedResource.yaml - kind: Deployment - policy: kasten-generate-example-backup-policy - resources: - - test-deployment - result: pass - rule: kasten-generate-example-backup-policy -variables: test-values.yaml diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml deleted file mode 100644 index d25ce5dda..000000000 --- a/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-resource.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: test-deployment - namespace: test-namespace - labels: - app: nginx - dataprotection: kasten-example -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 \ No newline at end of file diff --git a/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml b/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml deleted file mode 100644 index 2de482915..000000000 --- a/kasten/kasten-generate-example-backup-policy/.kyverno-test/test-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: kasten-generate-example-backup-policy - resources: - - name: test-variables - values: - request.namespace: test-namespace - dataprotectionLabelValue: kasten-example - rules: - - name: kasten-generate-example-backup-policy - values: - existingPolicy: 0 diff --git a/kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml b/kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml deleted file mode 100644 index e6b52eefd..000000000 --- a/kasten/kasten-generate-example-backup-policy/artifacthub-pkg.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: kasten-generate-example-backup-policy -version: 1.0.1 -displayName: Generate Kasten Backup Policy Based on Resource Label -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.24-1.30" - kyverno/subject: "Policy" -digest: 74edc3942670ec20e8b9ab00db894e503071bcc4c2da12dca2a6e03a2b2f562a diff --git a/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml b/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml deleted file mode 100644 index 995ed99f9..000000000 --- a/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml +++ /dev/null @@ -1,97 +0,0 @@ -# This is an example rule intended to be cloned & modified to meet organizational requirements. -# The `dataprotetion` label value can be changed to correspond with specific policy templates. -# -# NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: ClusterRole -# metadata: -# labels: -# app.kubernetes.io/component: background-controller -# app.kubernetes.io/instance: kyverno -# app.kubernetes.io/part-of: kyverno -# name: kyverno:create-kasten-policies -# rules: -# - apiGroups: -# - config.kio.kasten.io -# resources: -# - policies -# verbs: -# - create -# - update -# - delete -# -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-generate-example-backup-policy - annotations: - policies.kyverno.io/title: Generate Kasten Backup Policy Based on Resource Label - policies.kyverno.io/category: Veeam Kasten - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.12.0 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads. -spec: - rules: - - name: kasten-generate-example-backup-policy - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - selector: - matchLabels: - dataprotection: kasten-example - context: - - name: dataprotectionLabelValue - variable: - value: "kasten-example" - - name: kyvernoPolicyName - variable: - value: "kasten-generate-example-backup-policy" - - name: existingPolicy - apiCall: - urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace - jmesPath: "items[][[@.metadata.labels.\"generate.kyverno.io/policy-name\"=='{{ kyvernoPolicyName }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a Kasten policy protecting the namespace generated by this Kyverno policy already exists - preconditions: - any: - - key: "{{ existingPolicy }}" - operator: Equals - value: 0 # Only generate the policy if it does not already exist - generate: - apiVersion: config.kio.kasten.io/v1alpha1 - kind: Policy - name: "{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy" - namespace: kasten-io - data: - metadata: - name: "{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy" - namespace: kasten-io - spec: - comment: "Auto-generated by Kyverno" - frequency: '@daily' - retention: - daily: 7 - weekly: 4 - monthly: 12 - yearly: 7 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@daily' - profile: - name: test - namespace: kasten-io - exportData: - enabled: true - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - "{{ request.namespace }}" diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml deleted file mode 100755 index ed298e4d9..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - dataprotection: none - name: k10-gp-label-ns04 diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 9d72e2bce..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: kasten-generate-policy-by-preset-label -spec: - steps: - - name: step-01 - try: - - apply: - file: permissions.yaml - - apply: - file: chainsaw-step-01-apply-1.yaml - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: ../kasten-generate-policy-by-preset-label.yaml - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: chainsaw-step-03-apply-1.yaml - - apply: - file: chainsaw-step-03-apply-2.yaml - - apply: - file: chainsaw-step-03-apply-3.yaml - - apply: - file: chainsaw-step-03-apply-4.yaml - - apply: - file: chainsaw-step-03-apply-5.yaml - - apply: - file: chainsaw-step-03-apply-6.yaml - - name: step-04 - try: - - assert: - file: generated-policy.yaml - - error: - file: not-generated-policy.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml deleted file mode 100644 index a63f570c1..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/not-generated-policy.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: k10-gp-label-ns04-none-backup - namespace: kasten-io -spec: - comment: "Auto-generated by Kyverno" - paused: false - actions: - - action: backup - presetRef: - name: none - namespace: kasten-io - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - k10-gp-label-ns04 ---- -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: k10-gp-label-ns05-gold-backup - namespace: kasten-io -spec: - comment: "Auto-generated by Kyverno" - paused: false - actions: - - action: backup - presetRef: - name: gold - namespace: kasten-io - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - k10-gp-label-ns05 \ No newline at end of file diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml deleted file mode 100644 index 2f31131bc..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:kasten:view - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - config.kio.kasten.io - resources: - - policies - verbs: - - get - - list - - watch diff --git a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml b/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 319a8fa1d..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-generate-policy-by-preset-label -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 82b54ec1a..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kasten-generate-policy-by-preset-label-test -policies: -- ../kasten-generate-policy-by-preset-label.yaml -resources: -- test-resource.yaml -results: -- generatedResource: generatedResource.yaml - kind: Namespace - policy: kasten-generate-policy-by-preset-label - resources: - - test-namespace - result: pass - rule: kasten-generate-policy-by-preset-label -variables: test-values.yaml diff --git a/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-values.yaml b/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-values.yaml deleted file mode 100644 index ce3a6450f..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: kasten-generate-policy-by-preset-label - resources: - - name: test-namespace - values: - request.namespace: test-namespace - rules: - - name: kasten-generate-policy-by-preset-label - values: - existingPolicy: 0 diff --git a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml deleted file mode 100644 index 31a33aab8..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: kasten-generate-policy-by-preset-label -version: 1.0.1 -displayName: Generate Kasten Policy from Preset -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.24-1.30" - kyverno/subject: "Policy" -digest: cddabf7614a6122728cf0f862013266ddb5731eb45fcaa41d6cb243e9881aad7 diff --git a/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml b/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml deleted file mode 100644 index f7aabe6e3..000000000 --- a/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml +++ /dev/null @@ -1,82 +0,0 @@ -# This example assumes that Kasten policy presets named "gold", "silver", and "bronze" have been pre-created and Kasten was deployed into the `kasten-io` namespace. -# -# NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest. -# -# apiVersion: rbac.authorization.k8s.io/v1 -# kind: ClusterRole -# metadata: -# labels: -# app.kubernetes.io/component: background-controller -# app.kubernetes.io/instance: kyverno -# app.kubernetes.io/part-of: kyverno -# name: kyverno:create-kasten-policies -# rules: -# - apiGroups: -# - config.kio.kasten.io -# resources: -# - policies -# verbs: -# - create -# - update -# - delete -# -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-generate-policy-by-preset-label - annotations: - policies.kyverno.io/title: Generate Kasten Policy from Preset - policies.kyverno.io/category: Veeam Kasten - policies.kyverno.io/subject: Policy - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.12.0 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/description: >- - Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. - Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. -spec: - rules: - - name: kasten-generate-policy-by-preset-label - match: - any: - - resources: - kinds: - - Namespace - selector: - matchExpressions: - - key: dataprotection - operator: In - values: - - gold - - silver - - bronze - context: - - name: existingPolicy - apiCall: - urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace - jmesPath: "items[][[@.spec.presetRef][?name=='{{ request.object.metadata.labels.dataprotection }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a policy based on the dataprotection label value, covering that app namespace already exists - preconditions: - any: - - key: "{{ existingPolicy }}" - operator: Equals - value: 0 # Only generate the policy if it does not already exist - generate: - apiVersion: config.kio.kasten.io/v1alpha1 - kind: Policy - name: "{{ request.namespace }}-{{ request.object.metadata.labels.dataprotection }}-backup" - namespace: kasten-io - data: - spec: - comment: "Auto-generated by Kyverno" - paused: false - actions: - - action: backup - presetRef: - name: "{{ request.object.metadata.labels.dataprotection }}" - namespace: kasten-io - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - "{{ request.namespace }}" \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index d210f50d4..000000000 --- a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-hourly-rpo -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 569383ef7..000000000 --- a/kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: k10-hourly-rpo -spec: - steps: - - name: step-01 - try: - - apply: - file: ../kasten-hourly-rpo.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: kasten-hourly-rpo - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: k10-good-policy.yaml - - apply: - expect: - - check: - ($error != null): true - file: k10-bad-policy.yaml diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml deleted file mode 100644 index c0dc1434f..000000000 --- a/kasten/kasten-hourly-rpo/.chainsaw-test/k10-bad-policy.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: daily-policy - namespace: kasten-io -spec: - frequency: '@daily' - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - test-namespace \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/k10-good-policy.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/k10-good-policy.yaml deleted file mode 100644 index 95d465155..000000000 --- a/kasten/kasten-hourly-rpo/.chainsaw-test/k10-good-policy.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: hourly-policy - namespace: kasten-io -spec: - frequency: '@hourly' - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - test-namespace \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml b/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml deleted file mode 100644 index 6c8985d11..000000000 --- a/kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test-namespace - labels: - appPriority: critical ---- -apiVersion: v1 -kind: Namespace -metadata: - name: kasten-io \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.kyverno-test/kyverno-test.yaml b/kasten/kasten-hourly-rpo/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f8a516ef4..000000000 --- a/kasten/kasten-hourly-rpo/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kyverno_data_protection_tests -policies: -- ../kasten-hourly-rpo.yaml -resources: -- test-policies.yaml -results: -- kind: Policy - policy: kasten-hourly-rpo - resources: - - daily-policy - result: fail - rule: kasten-hourly-rpo -- kind: Policy - policy: kasten-hourly-rpo - resources: - - hourly-policy - result: pass - rule: kasten-hourly-rpo -variables: test-values.yaml diff --git a/kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml b/kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml deleted file mode 100644 index d08547c9e..000000000 --- a/kasten/kasten-hourly-rpo/.kyverno-test/test-policies.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: daily-policy - namespace: kasten-io -spec: - frequency: '@daily' - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - app-1 - - app-2 ---- -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: hourly-policy - namespace: kasten-io -spec: - frequency: '@hourly' - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchExpressions: - - key: k10.kasten.io/appNamespace - operator: In - values: - - app-1 - - app-2 \ No newline at end of file diff --git a/kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml b/kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml deleted file mode 100644 index ad24733e0..000000000 --- a/kasten/kasten-hourly-rpo/.kyverno-test/test-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: kasten-hourly-rpo - rules: - - name: kasten-hourly-rpo - values: - namespacesWithPriorityLabel: - - app-1 - - app-2 diff --git a/kasten/kasten-hourly-rpo/artifacthub-pkg.yml b/kasten/kasten-hourly-rpo/artifacthub-pkg.yml deleted file mode 100644 index 2d4895e09..000000000 --- a/kasten/kasten-hourly-rpo/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: k10-hourly-rpo -version: 1.0.1 -displayName: Check Hourly RPO -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. - This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. - This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.25-1.30" - kyverno/subject: "Policy" -digest: 4425c169fa2db1bac821bed041d6fce2bf37c471f6b9503379ffac05ce4ca9e9 diff --git a/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml b/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml deleted file mode 100644 index 127b7a8f1..000000000 --- a/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-hourly-rpo - annotations: - policies.kyverno.io/title: Check Kasten Policy RPO based on Namespace Label - policies.kyverno.io/category: Veeam Kasten - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.12.0 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. - This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label. -spec: - validationFailureAction: Enforce - rules: - - name: kasten-hourly-rpo - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - context: - - name: namespacesWithPriorityLabel # Get list of namespaces with appPriority=critical label - apiCall: - urlPath: "/api/v1/namespaces?labelSelector=appPriority%3Dcritical" - jmesPath: "items[].metadata.name" - preconditions: - any: - - key: "{{ length(namespacesWithPriorityLabel) }}" - operator: GreaterThan - value: 0 # Only proceed if namespaces with appPriority=critical label exist - validate: - message: "Mission Critical RPO frequency should use no shorter than @hourly frequency" - foreach: - - list: "request.object.spec.selector.matchExpressions[0].values" - deny: - conditions: - all: # Deny admission if the policy is not hourly AND any namespaces listed in the Policy contain the appPriority=critical label - - key: "{{ element }}" - operator: AnyIn - value: "{{ namespacesWithPriorityLabel }}" - - key: "{{ request.object.spec.frequency }}" - operator: NotEquals - value: '@hourly' \ No newline at end of file diff --git a/kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml b/kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml deleted file mode 100644 index 580281ec6..000000000 --- a/kasten/kasten-immutable-location-profile/.kyverno-test/immutable-location-profile.yaml +++ /dev/null @@ -1,44 +0,0 @@ -kind: Profile -apiVersion: config.kio.kasten.io/v1alpha1 -metadata: - name: sample-location-profile -spec: - locationSpec: - type: ObjectStore - objectStore: - name: k10demo-immutable - objectStoreType: S3 - path: k10/xxxxxxxxxxxxxxxxxxxxxx/migration - pathType: Directory - protectionPeriod: 72h0m0s - region: us-east-1 - credential: - secretType: AwsAccessKey - secret: - apiVersion: v1 - kind: secret - name: k10secret-abcde - namespace: kasten-io - type: Location ---- -kind: Profile -apiVersion: config.kio.kasten.io/v1alpha1 -metadata: - name: sample-location-profile-invalid -spec: - locationSpec: - type: ObjectStore - objectStore: - name: k10demo-immutable - objectStoreType: S3 - path: k10/xxxxxxxxxxxxxxxxxxxxxx/migration - pathType: Directory - region: us-east-1 - credential: - secretType: AwsAccessKey - secret: - apiVersion: v1 - kind: secret - name: k10secret-abcde - namespace: kasten-io - type: Location \ No newline at end of file diff --git a/kasten/kasten-immutable-location-profile/.kyverno-test/kyverno-test.yaml b/kasten/kasten-immutable-location-profile/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 7be5a1240..000000000 --- a/kasten/kasten-immutable-location-profile/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kyverno_data_protection_tests -policies: -- ../kasten-immutable-location-profile.yaml -resources: -- immutable-location-profile.yaml -results: -- kind: Profile - policy: kasten-immutable-location-profile - resources: - - sample-location-profile-invalid - result: fail - rule: kasten-immutable-location-profile -- kind: Profile - policy: kasten-immutable-location-profile - resources: - - sample-location-profile - result: pass - rule: kasten-immutable-location-profile diff --git a/kasten/kasten-immutable-location-profile/artifacthub-pkg.yml b/kasten/kasten-immutable-location-profile/artifacthub-pkg.yml deleted file mode 100644 index 2f2e0cff9..000000000 --- a/kasten/kasten-immutable-location-profile/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: kasten-immutable-location-profile -version: 1.0.1 -displayName: Check Kasten Location Profile is Immutable -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Veeam Kasten supports backup of Kubernetes applications to repositories, called Location Profiles, with immutability enabled. This can prevent inadvertent or malicious deletion of backup data. This policy validates that immutability is enabled on Location Profiles. - - Refer to Kasten documentation for details on supported platforms and enabling immutability: https://docs.kasten.io -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Veeam Kasten supports backup of Kubernetes applications to repositories, called Location Profiles, with immutability enabled. This can prevent inadvertent or malicious deletion of backup data. This policy validates that immutability is enabled on Location Profiles. - - Refer to Kasten documentation for details on supported platforms and enabling immutability: https://docs.kasten.io - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.25-1.30" - kyverno/subject: "Profile" -digest: ce791f8a79f4ea61d34c8531b96bad640dd09b5b3d7958a3e0f67886c771a0a8 diff --git a/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml b/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml deleted file mode 100644 index fb327553a..000000000 --- a/kasten/kasten-immutable-location-profile/kasten-immutable-location-profile.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-immutable-location-profile - annotations: - policies.kyverno.io/title: Check Kasten Location Profile is Immutable - policies.kyverno.io/category: Veeam Kasten - policies.kyverno.io/subject: config.kio.kasten.io/v1alpha1/Profile - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.25-1.30" - policies.kyverno.io/description: >- - Ensure Kasten Location Profiles have enabled immutability to prevent unintentional or malicious changes to backup data. -spec: - validationFailureAction: Audit - rules: - - name: kasten-immutable-location-profile - match: - resources: - kinds: - - Profile - validate: - message: >- - All Kasten Location Profiles must have immutability enabled. - pattern: - spec: - (type): Location - locationSpec: - objectStore: - protectionPeriod: "*" \ No newline at end of file diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-minimum-retention/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index fbed4e96a..000000000 --- a/kasten/kasten-minimum-retention/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: kasten-minimum-retention -spec: - steps: - - name: step-01 - try: - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: ../kasten-minimum-retention.yaml - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: kuttlresource.yaml - - assert: - file: resource-mutated.yaml diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/ns.yaml b/kasten/kasten-minimum-retention/.chainsaw-test/ns.yaml deleted file mode 100644 index 9fdbec7b2..000000000 --- a/kasten/kasten-minimum-retention/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: kasten-minimum-retention \ No newline at end of file diff --git a/kasten/kasten-minimum-retention/.chainsaw-test/policy-ready.yaml b/kasten/kasten-minimum-retention/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 927882ff9..000000000 --- a/kasten/kasten-minimum-retention/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-minimum-retention -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/kasten/kasten-minimum-retention/.kyverno-test/kasten-hourly-policy.yaml b/kasten/kasten-minimum-retention/.kyverno-test/kasten-hourly-policy.yaml deleted file mode 100644 index 94db9932e..000000000 --- a/kasten/kasten-minimum-retention/.kyverno-test/kasten-hourly-policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: hourly-policy - namespace: kasten-io - labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - frequency: '@hourly' - subFrequency: - minutes: [30] - hours: [22,7] - weekdays: [5] - days: [15] - retention: - daily: 14 - weekly: 4 - monthly: 6 - actions: - - action: backup - - action: export - exportParameters: - frequency: '@monthly' - profile: - name: my-profile - namespace: kasten-io - exportData: - enabled: true - retention: - monthly: 12 - yearly: 5 - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/kasten/kasten-minimum-retention/.kyverno-test/kasten-skipped-policies.yaml b/kasten/kasten-minimum-retention/.kyverno-test/kasten-skipped-policies.yaml deleted file mode 100644 index 73f735abc..000000000 --- a/kasten/kasten-minimum-retention/.kyverno-test/kasten-skipped-policies.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: preset-policy - namespace: kasten-io - labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - presetRef: - name: mypreset - namespace: kasten-io - actions: - - action: backup - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp ---- -apiVersion: config.kio.kasten.io/v1alpha1 -kind: Policy -metadata: - name: ondemand-policy - namespace: kasten-io - labels: - appPriority: Mission-Critical -spec: - comment: My sample custom backup policy - frequency: '@onDemand' - actions: - - action: backup - selector: - matchLabels: - k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/kasten/kasten-minimum-retention/.kyverno-test/kyverno-test.yaml b/kasten/kasten-minimum-retention/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 606bdee55..000000000 --- a/kasten/kasten-minimum-retention/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kyverno_data_protection_tests -policies: -- ../kasten-minimum-retention.yaml -resources: -- kasten-skipped-policies.yaml -- kasten-hourly-policy.yaml -results: -- kind: Policy - patchedResource: patched.yaml - policy: kasten-minimum-retention - resources: - - hourly-policy - result: pass - rule: kasten-minimum-retention -- kind: Policy - policy: kasten-minimum-retention - resources: - - ondemand-policy - result: skip - rule: kasten-minimum-retention -- kind: Policy - policy: kasten-minimum-retention - resources: - - preset-policy - result: skip - rule: kasten-minimum-retention diff --git a/kasten/kasten-minimum-retention/artifacthub-pkg.yml b/kasten/kasten-minimum-retention/artifacthub-pkg.yml deleted file mode 100644 index 51b74f6d0..000000000 --- a/kasten/kasten-minimum-retention/artifacthub-pkg.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: kasten-minimum-retention -version: 1.0.1 -displayName: Set Kasten Policy Minimum Backup Retention -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Example Kyverno policy to enforce common compliance retention standards by modifying Kasten Policy backup retention settings. Based on regulation/compliance standard requirements, uncomment (1) of the desired GFS retention schedules to mutate existing and future Kasten Policies. Alternatively, this policy can be used to reduce retention lengths to enforce cost optimization. NOTE: This example only applies to Kasten Policies with an '@hourly' frequency. Refer to Kasten documentation for Policy API specification if modifications are necessary: https://docs.kasten.io/latest/api/policies.html#policy-api-type -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-minimum-retention/kasten-minimum-retention.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Example Kyverno policy to enforce common compliance retention standards by modifying Kasten Policy backup retention settings. Based on regulation/compliance standard requirements, uncomment (1) of the desired GFS retention schedules to mutate existing and future Kasten Policies. Alternatively, this policy can be used to reduce retention lengths to enforce cost optimization. NOTE: This example only applies to Kasten Policies with an '@hourly' frequency. Refer to Kasten documentation for Policy API specification if modifications are necessary: https://docs.kasten.io/latest/api/policies.html#policy-api-type -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.24-1.30" - kyverno/subject: "Policy" -digest: e394e005816521b6157a1ef4a0c9757bca956dd706f6a82746fe661c7938d61f diff --git a/kasten/kasten-minimum-retention/kasten-minimum-retention.yaml b/kasten/kasten-minimum-retention/kasten-minimum-retention.yaml deleted file mode 100644 index 1a21d7c81..000000000 --- a/kasten/kasten-minimum-retention/kasten-minimum-retention.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-minimum-retention - annotations: - policies.kyverno.io/title: Set Kasten Policy Minimum Backup Retention - policies.kyverno.io/category: Veeam Kasten - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.6.2 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/subject: Policy - policies.kyverno.io/description: >- - Example Kyverno policy to enforce common compliance retention standards by modifying Kasten Policy backup retention settings. Based on regulation/compliance standard requirements, uncomment (1) of the desired GFS retention schedules to mutate existing and future Kasten Policies. Alternatively, this policy can be used to reduce retention lengths to enforce cost optimization. NOTE: This example only applies to Kasten Policies with an '@hourly' frequency. Refer to Kasten documentation for Policy API specification if modifications are necessary: https://docs.kasten.io/latest/api/policies.html#policy-api-type -spec: - schemaValidation: false - rules: - - name: kasten-minimum-retention - match: - any: - - resources: - kinds: - - config.kio.kasten.io/v1alpha1/Policy - preconditions: - all: - # Match only @hourly policies that do not use policy presets, as the - # number of retained artifacts can only be specified for frequencies - # of the same or lower granularity than the policy frequency. For example, - # if the policy frequency is '@daily', then retention can have values for - # 'daily', 'weekly', 'monthly' and 'yearly', but not for 'hourly'. - # If the policy frequency is 'hourly', then all retention values are - # allowed. If the policy frequency is '@onDemand' or policy preset is used - # then retention values are not allowed. - - key: "{{ request.object.spec.frequency || ''}}" - operator: Equals - value: '@hourly' - mutate: - # Federal Information Security Management Act (FISMA): 3 Years - #patchesJson6902: |- - # - path: "/spec/retention" - # op: replace - # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} - - # Health Insurance Portability and Accountability Act (HIPAA): 6 Years - #patchesJson6902: |- - # - path: "/spec/retention" - # op: replace - # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":6} - - # National Energy Commission (NERC): 3 to 6 Years - #patchesJson6902: |- - # - path: "/spec/retention" - # op: replace - # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} - - # Basel II Capital Accord: 3 to 7 Years - #patchesJson6902: |- - # - path: "/spec/retention" - # op: replace - # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} - - # Sarbanes-Oxley Act of 2002 (SOX): 7 Years - #patchesJson6902: |- - # - path: "/spec/retention" - # op: replace - # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":7} - - # National Industrial Security Program Operating Manual (NISPOM): 6 to 12 Months - #patchesJson6902: |- - # - path: "/spec/retention" - # op: replace - # value: {"hourly":24,"daily":30,"weekly":4,"monthly":6} - - # Cost Optimization (Maximum Retention: 3 Months) - patchesJson6902: |- - - path: "/spec/retention" - op: replace - value: - hourly: 24 - daily: 30 - weekly: 4 - monthly: 3 diff --git a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index 03a661f34..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-validate-ns-by-preset-label -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2392f6c10..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: kasten-validate-ns-by-preset-label -spec: - steps: - - name: step-01 - try: - - apply: - file: ../kasten-validate-ns-by-preset-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: kasten-validate-ns-by-preset-label - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - assert: - file: chainsaw-step-01-assert-2.yaml - - name: step-02 - try: - - apply: - file: ns-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ns-bad.yaml diff --git a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml deleted file mode 100644 index baf81215b..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-bad.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-validatens-badns01 - labels: - dataprotection: foo-bar ---- -apiVersion: v1 -kind: Namespace -metadata: - name: k10-validatens-badns02 \ No newline at end of file diff --git a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml b/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml deleted file mode 100644 index f9fcdc245..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/.chainsaw-test/ns-good.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k10-validatens-goodns01 - labels: - dataprotection: gold ---- -apiVersion: v1 -kind: Namespace -metadata: - name: k10-validatens-goodns02 - labels: - dataprotection: silver ---- -apiVersion: v1 -kind: Namespace -metadata: - name: k10-validatens-goodns03 - labels: - dataprotection: bronze ---- -apiVersion: v1 -kind: Namespace -metadata: - name: k10-validatens-goodns04 - labels: - dataprotection: none \ No newline at end of file diff --git a/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml b/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e86059a13..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: kasten-validate-ns-by-preset-label-test -policies: -- ../kasten-validate-ns-by-preset-label.yaml -resources: -- test-resource.yaml -results: -- kind: Namespace - policy: kasten-validate-ns-by-preset-label - resources: - - namespace-invalid - result: fail - rule: kasten-validate-ns-by-preset-label -- kind: Namespace - policy: kasten-validate-ns-by-preset-label - resources: - - namespace-gold - - namespace-silver - - namespace-bronze - - namespace-none - result: pass - rule: kasten-validate-ns-by-preset-label diff --git a/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml b/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml deleted file mode 100644 index f5dc36f2b..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/.kyverno-test/test-resource.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: namespace-gold - labels: - dataprotection: gold ---- -apiVersion: v1 -kind: Namespace -metadata: - name: namespace-silver - labels: - dataprotection: silver ---- -apiVersion: v1 -kind: Namespace -metadata: - name: namespace-bronze - labels: - dataprotection: bronze ---- -apiVersion: v1 -kind: Namespace -metadata: - name: namespace-none - labels: - dataprotection: none ---- -apiVersion: v1 -kind: Namespace -metadata: - name: namespace-invalid \ No newline at end of file diff --git a/kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml deleted file mode 100644 index c94a9ede3..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/artifacthub-pkg.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: kasten-validate-ns-by-preset-label -version: 1.0.1 -displayName: Validate Data Protection with Kasten Preset Label -createdAt: "2023-05-07T00:00:00.000Z" -description: >- - Kubernetes applications are typically deployed into a single, logical namespace. - Veeam Kasten policies will discover and protect all resources within the selected namespace(s). - This policy ensures all new namespaces include a label referencing a valid Kasten SLA - (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. - The combination ensures that new applications are not inadvertently left unprotected. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml - ``` -keywords: - - kyverno - - Veeam Kasten -readme: | - Kubernetes applications are typically deployed into a single, logical namespace. - Veeam Kasten policies will discover and protect all resources within the selected namespace(s). - This policy ensures all new namespaces include a label referencing a valid Kasten SLA - (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. - The combination ensures that new applications are not inadvertently left unprotected. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Veeam Kasten" - kyverno/kubernetesVersion: "1.25-1.30" - kyverno/subject: "Namespace" -digest: 3252bfa88a6975af4159acf098d5004e786889509c0fc17f25bad97b8f24e78e diff --git a/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml b/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml deleted file mode 100644 index c26da7c05..000000000 --- a/kasten/kasten-validate-ns-by-preset-label/kasten-validate-ns-by-preset-label.yaml +++ /dev/null @@ -1,39 +0,0 @@ -#NOTE: This example assumes that Kasten policy presets named "gold", "silver", and "bronze" have been pre-created and Kasten was deployed into the `kasten-io` namespace. -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: kasten-validate-ns-by-preset-label - annotations: - policies.kyverno.io/title: Validate Data Protection with Kasten Preset Label - policies.kyverno.io/category: Veeam Kasten - policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.12.1 - policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.24-1.30" - policies.kyverno.io/description: >- - Kubernetes applications are typically deployed into a single, logical namespace. - Veeam Kasten policies will discover and protect all resources within the selected namespace(s). - This policy ensures all new namespaces include a label referencing a valid Kasten SLA - (Policy Preset) for data protection.This policy can be used in combination with /Users/the `kasten-generate-policy-by-preset-label` ClusterPolicy to automatically create a Kasten policy based on the specified SLA. - The combination ensures that new applications are not inadvertently left unprotected. -spec: - validationFailureAction: Audit - rules: - - name: kasten-validate-ns-by-preset-label - match: - any: - - resources: - kinds: - - Namespace - validate: - message: >- - Namespaces must specify a "dataprotection" label with a value corresponding to a Kasten Policy Preset: - - "gold" - - "silver" - - "bronze" - - "none" - No local snapshots or backups - pattern: - metadata: - labels: - dataprotection: gold|silver|bronze|none \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index f948a1a98..000000000 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-kubecost-labels -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-kubecost-labels.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-kubecost-labels - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index cb03ac87a..000000000 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - env: foo - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - owner: foo - team: bar - department: foo - app: bar - name: badpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 88be8ab2f..000000000 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - owner: foo - team: bar - department: foo - app: bar - env: foo - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index a328233b8..000000000 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - owner: "foo" - template: - metadata: - labels: - owner: "foo" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - owner: "foo" - team: "foo" - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 20f3f43c5..000000000 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,99 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - owner: "foo" - team: "foo" - department: "foo" - env: "foo" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - owner: "foo" - team: "foo" - department: "foo" - env: "foo" - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - owner: "foo" - team: "foo" - department: "foo" - app: "foo" - env: "foo" - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - owner: "foo" - team: "foo" - department: "foo" - app: "foo" - env: "foo" - foo: bar - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml b/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 59d82a83b..000000000 --- a/kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-kubecost-labels -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml b/kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 41e2fbf5f..000000000 --- a/kubecost-cel/require-kubecost-labels/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-kubecost-labels -policies: -- ../require-kubecost-labels.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-kubecost-labels - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - result: fail - rule: require-labels -- kind: Pod - policy: require-kubecost-labels - resources: - - goodpod - result: pass - rule: require-labels diff --git a/kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml b/kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml deleted file mode 100644 index 17ab732f0..000000000 --- a/kubecost-cel/require-kubecost-labels/.kyverno-test/resource.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod - labels: - owner: John Doe - team: falcon - department: eng - app: redis - env: prod2 -spec: - containers: - - image: busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - image: busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - owner: John Doe -spec: - containers: - - image: busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - owner: John Doe - team: falcon -spec: - containers: - - image: busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 - labels: - owner: John Doe - team: falcon - department: eng -spec: - containers: - - image: busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 - labels: - owner: John Doe - team: falcon - department: eng - app: redis -spec: - containers: - - image: busybox:1.35 - name: busybox diff --git a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml b/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml deleted file mode 100644 index 025d7822c..000000000 --- a/kubecost-cel/require-kubecost-labels/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-kubecost-labels-cel -version: 1.0.0 -displayName: Require Kubecost Labels in CEL expressions -description: >- - Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used to organize and group workloads in different ways. This policy requires that the labels `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), these labels will also be required for all Pod controllers. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml - ``` -keywords: - - kyverno - - Kubecost - - CEL Expressions -readme: | - Kubecost can use labels assigned to Pods in order to track and display cost allocation in a granular way. These labels, which can be customized, can be used to organize and group workloads in different ways. This policy requires that the labels `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), these labels will also be required for all Pod controllers. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Kubecost in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod,Label" -digest: 5b50102fc3a29abc915d2a81baee4335a505b3dc749057a310197b0442409a88 -createdAt: "2024-05-12T06:59:59Z" - diff --git a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml b/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml deleted file mode 100644 index 02cb6a58c..000000000 --- a/kubecost-cel/require-kubecost-labels/require-kubecost-labels.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-kubecost-labels - annotations: - policies.kyverno.io/title: Require Kubecost Labels in CEL expressions - policies.kyverno.io/category: Kubecost in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Label - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Kubecost can use labels assigned to Pods in order to track and display - cost allocation in a granular way. These labels, which can be customized, can be used - to organize and group workloads in different ways. This policy requires that the labels - `owner`, `team`, `department`, `app`, and `env` are all defined on Pods. With Kyverno - autogen enabled (absence of the annotation `pod-policies.kyverno.io/autogen-controllers=none`), - these labels will also be required for all Pod controllers. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-labels - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?labels.?owner.orValue('') != '' && - object.metadata.?labels.?team.orValue('') != '' && - object.metadata.?labels.?department.orValue('') != '' && - object.metadata.?labels.?app.orValue('') != '' && - object.metadata.?labels.?env.orValue('') != '' - message: "The Kubecost labels `owner`, `team`, `department`, `app`, and `env` are all required for Pods." - diff --git a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/chainsaw-test.yaml b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/chainsaw-test.yaml index b09dd1a2f..76e73f291 100755 --- a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/chainsaw-test.yaml +++ b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml index 60c8c9d59..8bb4eed17 100644 --- a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml +++ b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/not-patched-deploy.yaml @@ -18,7 +18,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox command: ["sleep", "9999"] resources: diff --git a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml index 2de9a7249..067df0230 100644 --- a/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml +++ b/kubecost/enable-kubecost-continuous-rightsizing/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: enable-kubecost-continuous-rightsizing status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 59d82a83b..ed44c7cf3 100755 --- a/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: require-kubecost-labels status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml index f9c73cfe7..528eed0d3 100755 --- a/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-kubecost-labels.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-kubecost-labels - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-kubecost-labels.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-kubecost-labels diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml index cb03ac87a..68e1fe0a1 100644 --- a/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/pod-bad.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -19,7 +19,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -34,4 +34,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml index 88be8ab2f..50ec73c0a 100644 --- a/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/pod-good.yaml @@ -12,4 +12,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml index a328233b8..d8db785f5 100644 --- a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-bad.yaml @@ -8,7 +8,7 @@ spec: replicas: 1 selector: matchLabels: - foo: bar + app: busybox template: metadata: labels: @@ -16,7 +16,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -28,7 +28,7 @@ spec: replicas: 1 selector: matchLabels: - owner: "foo" + app: busybox template: metadata: labels: @@ -36,7 +36,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -53,7 +53,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -75,7 +75,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml index 20f3f43c5..4e85726df 100644 --- a/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml +++ b/kubecost/require-kubecost-labels/.chainsaw-test/podcontroller-good.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -45,7 +45,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -66,7 +66,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -92,7 +92,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml index bf52d7bb1..b40b0a99e 100755 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,8 +11,6 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml deleted file mode 100644 index ef3f1fbdd..000000000 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:rancher:cluster - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - 'provisioning.cattle.io' - resources: - - clusters - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:view - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:manage - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - create - - update - - delete \ No newline at end of file diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml index 407fa4ff4..08c867372 100644 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: config-syncer-secret-generation-from-rancher-capi status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml b/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml index 0b3e4f859..7d08b5010 100644 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Kubeops" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Secret" -digest: 9ce7e5f048b29eeef789ebf868ed508a593a43a49b3ae76a8e031160779d77bf +digest: f45a05bf32cc4f14e962c58b62fbb69144d04a04a97abb08fe69e6c5843eb8e5 diff --git a/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml b/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml index bbe146fbd..4d2abb202 100644 --- a/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml +++ b/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.yaml @@ -16,7 +16,7 @@ metadata: required by the Kubeops Config Syncer for it to sync ConfigMaps/Secrets from the Rancher management cluster to downstream clusters. spec: - generateExisting: true + generateExistingOnPolicyUpdate: true rules: - name: source-rancher-non-local-cluster-and-capi-secret match: diff --git a/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml b/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml index 65e704a8e..d834f3a9b 100755 --- a/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml +++ b/kubevirt/add-services/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,8 +11,6 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - name: step-02 diff --git a/kubevirt/add-services/.chainsaw-test/permissions.yaml b/kubevirt/add-services/.chainsaw-test/permissions.yaml deleted file mode 100644 index fe9aca75d..000000000 --- a/kubevirt/add-services/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:kubevirt - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - kubevirt.io - resources: - - virtualmachineinstances - verbs: - - get - - list - - watch diff --git a/kubevirt/add-services/.chainsaw-test/policy-ready.yaml b/kubevirt/add-services/.chainsaw-test/policy-ready.yaml index b181997d3..230b1b098 100644 --- a/kubevirt/add-services/.chainsaw-test/policy-ready.yaml +++ b/kubevirt/add-services/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: k6t-add-services status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml index b4c655980..8afa2f20b 100755 --- a/kubevirt/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml +++ b/kubevirt/enforce-instancetype/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml index b6d6478a9..575119eb7 100644 --- a/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml +++ b/kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: k6t-enforce-instancetype status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml index 496a0e63a..78917c4a9 100644 --- a/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml +++ b/kubevirt/enforce-instancetype/.chainsaw-test/vm-bad.yaml @@ -26,7 +26,7 @@ spec: terminationGracePeriodSeconds: 0 volumes: - containerDisk: - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 name: containerdisk - cloudInitNoCloud: userData: | diff --git a/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml b/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml index 89a470679..788d6f3fb 100644 --- a/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml +++ b/kubevirt/enforce-instancetype/.chainsaw-test/vm-good.yaml @@ -20,7 +20,7 @@ spec: terminationGracePeriodSeconds: 0 volumes: - containerDisk: - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 name: containerdisk - cloudInitNoCloud: userData: | diff --git a/kubevirt/enforce-instancetype/artifacthub-pkg.yml b/kubevirt/enforce-instancetype/artifacthub-pkg.yml index 4e19a07b0..73d5da7bf 100644 --- a/kubevirt/enforce-instancetype/artifacthub-pkg.yml +++ b/kubevirt/enforce-instancetype/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "KubeVirt" kyverno/kubernetesVersion: "1.24-1.25" kyverno/subject: "VirtualMachine" -digest: 1cd35bac61b4a5945c825e7dc41443e8bd67d32bda052843d040b8d482d80cb8 +digest: b0d3d34707cb815c644f2ed54060f6d546655cfb58600618f61575ac355f3439 diff --git a/kubevirt/enforce-instancetype/enforce-instancetype.yaml b/kubevirt/enforce-instancetype/enforce-instancetype.yaml index ef772390e..7148f7f2e 100644 --- a/kubevirt/enforce-instancetype/enforce-instancetype.yaml +++ b/kubevirt/enforce-instancetype/enforce-instancetype.yaml @@ -11,7 +11,7 @@ metadata: kyverno.io/kyverno-version: "1.8.0-rc2" kyverno.io/kubernetes-version: "1.24-1.25" spec: - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: k6t-ensure-instance-type-and-preference match: diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml deleted file mode 100644 index b2e676ae4..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - linkerd.io/inject: disabled - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index 03ef199b1..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - annotations: - linkerd.io/inject: disabled - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - linkerd.io/inject: disabled - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 9051a94fb..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: prevent-linkerd-pod-injection-override -spec: - steps: - - name: step-01 - try: - - apply: - file: ../prevent-linkerd-pod-injection-override.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-linkerd-pod-injection-override - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml deleted file mode 100644 index 26a5d37d8..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - linkerd.io/inject: enabled - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: {} \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index ad64e4171..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - annotations: - linkerd.io/inject: enabled - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - linkerd.io/inject: enabled - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index dc4acb236..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-linkerd-pod-injection-override -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 123a46aa0..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-linkerd-pod-injection-override -policies: -- ../prevent-linkerd-pod-injection-override.yaml -resources: -- ../.chainsaw-test/bad-pod.yaml -- ../.chainsaw-test/bad-podcontrollers.yaml -- ../.chainsaw-test/good-pod.yaml -- ../.chainsaw-test/good-podcontrollers.yaml -results: -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Pod - resources: - - badpod01 - result: fail -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Deployment - resources: - - baddeploy01 - result: fail -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: CronJob - resources: - - badcronjob01 - result: fail -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Deployment - resources: - - gooddeploy01 - - gooddeploy02 - result: pass -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: CronJob - resources: - - goodcronjob01 - - goodcronjob02 - result: pass \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml deleted file mode 100644 index 53b3f6541..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: prevent-linkerd-pod-injection-override-cel -version: 1.0.0 -displayName: Prevent Linkerd Pod Injection Override in CEL expressions -description: >- - Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml - ``` -keywords: - - kyverno - - Linkerd - - CEL Expressions -readme: | - Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to `disabled` may effectively disable mesh participation for that workload reducing security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Linkerd in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 5b12ec5eb44fb90ffd0656f835ecb3ed7a119e6304230929eea4cbd5d222d4a1 -createdAt: "2024-05-21T15:39:18Z" diff --git a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml deleted file mode 100644 index ed989bad4..000000000 --- a/linkerd-cel/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-linkerd-pod-injection-override - annotations: - policies.kyverno.io/title: Prevent Linkerd Pod Injection Override in CEL expressions - policies.kyverno.io/category: Linkerd in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Setting the annotation on a Pod (or its controller) `linkerd.io/inject` to - `disabled` may effectively disable mesh participation for that workload reducing - security and visibility. This policy prevents setting the annotation `linkerd.io/inject` - to `disabled` for Pods. -spec: - validationFailureAction: Audit - background: true - rules: - - name: pod-injection-override - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') != 'disabled'" - message: "Pods may not disable sidecar injection." - diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml deleted file mode 100644 index 89f2c4e1b..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - config.linkerd.io/skip-inbound-ports: "true" - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - config.linkerd.io/skip-outbound-ports: "true" - foo: bar - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - config.linkerd.io/skip-outbound-ports: "true" - config.linkerd.io/skip-inbound-ports: "true" - name: badpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml deleted file mode 100644 index c0ca58e47..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml +++ /dev/null @@ -1,136 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - annotations: - foo: bar - config.linkerd.io/skip-inbound-ports: "true" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - annotations: - config.linkerd.io/skip-outbound-ports: "true" - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy03 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - annotations: - foo: bar - config.linkerd.io/skip-inbound-ports: "true" - config.linkerd.io/skip-outbound-ports: "true" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - config.linkerd.io/skip-outbound-ports: "true" - foo: bar - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - foo: bar - config.linkerd.io/skip-inbound-ports: "true" - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - foo: bar - config.linkerd.io/skip-outbound-ports: "true" - config.linkerd.io/skip-inbound-ports: "true" - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index c85c17614..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: prevent-linkerd-port-skipping -spec: - steps: - - name: step-01 - try: - - apply: - file: ../prevent-linkerd-port-skipping.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-linkerd-port-skipping - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-pod.yaml - - apply: - file: good-podcontrollers.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-podcontrollers.yaml diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml deleted file mode 100644 index 6df9f3bcc..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: {} \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml deleted file mode 100644 index 9d7fe6099..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - annotations: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - foo: bar - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - command: - - "sleep" - - "3600" - restartPolicy: OnFailure \ No newline at end of file diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5e3757418..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-linkerd-port-skipping -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml b/linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 3eef768b6..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-linkerd-port-skipping -policies: -- ../prevent-linkerd-port-skipping.yaml -resources: -- ../.chainsaw-test/bad-pod.yaml -- ../.chainsaw-test/bad-podcontrollers.yaml -- ../.chainsaw-test/good-pod.yaml -- ../.chainsaw-test/good-podcontrollers.yaml -results: -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Pod - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Deployment - resources: - - baddeploy01 - - baddeploy02 - - baddeploy03 - result: fail -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: CronJob - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - result: fail -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Deployment - resources: - - gooddeploy01 - - gooddeploy02 - result: pass -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: CronJob - resources: - - goodcronjob01 - - goodcronjob02 - result: pass - diff --git a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml b/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml deleted file mode 100644 index 4ab092a6c..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: prevent-linkerd-port-skipping-cel -version: 1.0.0 -displayName: Prevent Linkerd Port Skipping in CEL expressions -description: >- - Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml - ``` -keywords: - - kyverno - - Linkerd - - CEL Expressions -readme: | - Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting them from mTLS. This can be important in some narrow use cases but generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Linkerd in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: bb047cee4e04c6939ccbdafe386dc0a84ea7e7242fe476a67ab6daf93dbec98f -createdAt: "2024-05-21T15:57:57Z" diff --git a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml b/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml deleted file mode 100644 index d95aca938..000000000 --- a/linkerd-cel/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-linkerd-port-skipping - annotations: - policies.kyverno.io/title: Prevent Linkerd Port Skipping in CEL expressions - policies.kyverno.io/category: Linkerd in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Linkerd has the ability to skip inbound and outbound ports assigned to Pods, exempting - them from mTLS. This can be important in some narrow use cases but - generally should be avoided. This policy prevents Pods from setting - the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: pod-prevent-port-skipping - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !has(object.metadata.annotations) || - (!('config.linkerd.io/skip-inbound-ports' in object.metadata.annotations) && !('config.linkerd.io/skip-outbound-ports' in object.metadata.annotations)) - message: "Pods may not skip ports. The annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports` must not be set." - diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml deleted file mode 100644 index 211682121..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/bad-ns.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - foo: bar - linkerd.io/inject: disabled - name: ld-meshinj-badns01 ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - foo: bar - name: ld-meshinj-badns02 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ld-meshinj-badns03 \ No newline at end of file diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 84d387eca..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-linkerd-mesh-injection -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-linkerd-mesh-injection.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-linkerd-mesh-injection - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-ns.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-ns.yaml diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml deleted file mode 100644 index 649948782..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/good-ns.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - foo: bar - linkerd.io/inject: enabled - name: ld-meshinj-goodns01 ---- -apiVersion: v1 -kind: Namespace -metadata: - annotations: - linkerd.io/inject: enabled - foo: bar - name: ld-meshinj-goodns02 \ No newline at end of file diff --git a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml b/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 8b24c872b..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-linkerd-mesh-injection -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml b/linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8c009f0b0..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-linkerd-mesh-injection -policies: -- ../require-linkerd-mesh-injection.yaml -resources: -- ../.chainsaw-test/bad-ns.yaml -- ../.chainsaw-test/good-ns.yaml -results: -- policy: require-linkerd-mesh-injection - rule: require-mesh-annotation - kind: Namespace - resources: - - ld-meshinj-badns01 - - ld-meshinj-badns02 - - ld-meshinj-badns03 - result: fail -- policy: require-linkerd-mesh-injection - rule: require-mesh-annotation - kind: Namespace - resources: - - ld-meshinj-goodns01 - - ld-meshinj-goodns02 - result: pass - diff --git a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml deleted file mode 100644 index 063aad494..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: require-linkerd-mesh-injection-cel -version: 1.0.0 -displayName: Require Linkerd Mesh Injection in CEL expressions -description: >- - Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml - ``` -keywords: - - kyverno - - Linkerd - - CEL Expressions -readme: | - Sidecar proxy injection in Linkerd may be handled at the Namespace level by setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Linkerd in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Namespace, Annotation" -digest: 35eeae221b613fe7c3ddff2006d6f38e43c2ec6300ec89e7c44ac53ed93e0b62 -createdAt: "2024-05-21T16:06:15Z" diff --git a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml deleted file mode 100644 index 5fa23a47c..000000000 --- a/linkerd-cel/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-linkerd-mesh-injection - annotations: - policies.kyverno.io/title: Require Linkerd Mesh Injection in CEL expressions - policies.kyverno.io/category: Linkerd in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Namespace, Annotation - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Sidecar proxy injection in Linkerd may be handled at the Namespace level by - setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that - all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-mesh-annotation - match: - any: - - resources: - kinds: - - Namespace - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.metadata.?annotations[?'linkerd.io/inject'].orValue('') == 'enabled'" - message: "All Namespaces must set the annotation `linkerd.io/inject` to `enabled`." - diff --git a/linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml b/linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml index 6dd1bef21..a258912b3 100755 --- a/linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml b/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml index 6edadda16..c9a189f5a 100644 --- a/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml +++ b/linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-linkerd-mesh-injection status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-test.yaml b/linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-test.yaml index 1d73c05b5..9046c7994 100755 --- a/linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml b/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml index 3db33b823..b32f7e4c9 100644 --- a/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml +++ b/linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-linkerd-policy-annotation status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 516c9263a..ad356330a 100755 --- a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: check-linkerd-authorizationpolicy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml index 5165633c7..307a9a3fa 100755 --- a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -16,18 +15,9 @@ spec: file: chainsaw-step-00-assert-3.yaml - name: step-01 try: - - apply: - file: permissions.yaml - - apply: - file: ../check-linkerd-authorizationpolicy.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-linkerd-authorizationpolicy - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../check-linkerd-authorizationpolicy.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -45,3 +35,10 @@ spec: - check: ($error != null): true file: bad-authz.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-linkerd-authorizationpolicy diff --git a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml b/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml deleted file mode 100644 index 1d15da4f3..000000000 --- a/linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:linkerd:server - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - policy.linkerd.io - resources: - - authorizationpolicies - - servers - - httproutes - verbs: - - get - - list - - watch diff --git a/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml b/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml index 881b2ea0a..1b1883f8c 100644 --- a/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml +++ b/linkerd/check-linkerd-authorizationpolicy/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Linkerd" kyverno/kubernetesVersion: "1.24" kyverno/subject: "AuthorizationPolicy" -digest: a8aa490b9226b245c51bc84f7a01f3a64bf176a40aa24743da3628188cdf50a3 +digest: e3f12288bb9f57e51764435a709284d7b3935ae8850eded4d998e35e9568cd19 diff --git a/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml b/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml index 784c361a3..e126e1a27 100644 --- a/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml +++ b/linkerd/check-linkerd-authorizationpolicy/check-linkerd-authorizationpolicy.yaml @@ -17,7 +17,7 @@ metadata: AuthorizationPolicy resources to ensure that either a matching Server or HTTPRoute exists first. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-server-exists diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml index b2e676ae4..2ffa3ce71 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-pod.yaml @@ -6,5 +6,5 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml index 03ef199b1..0ef55981b 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/bad-podcontrollers.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -35,7 +35,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml index dc4acb236..2d21edf25 100755 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: prevent-linkerd-pod-injection-override status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml index e08af48c0..06c0314b2 100755 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../prevent-linkerd-pod-injection-override.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-linkerd-pod-injection-override - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../prevent-linkerd-pod-injection-override.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: prevent-linkerd-pod-injection-override diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml index 26a5d37d8..826bd837a 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-pod.yaml @@ -6,7 +6,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -15,6 +15,6 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml index ad64e4171..119385e9d 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/.chainsaw-test/good-podcontrollers.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -38,7 +38,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -49,13 +49,10 @@ spec: jobTemplate: spec: template: - metadata: - labels: - app: busybox spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -76,7 +73,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml b/linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 123a46aa0..000000000 --- a/linkerd/prevent-linkerd-pod-injection-override/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-linkerd-pod-injection-override -policies: -- ../prevent-linkerd-pod-injection-override.yaml -resources: -- ../.chainsaw-test/bad-pod.yaml -- ../.chainsaw-test/bad-podcontrollers.yaml -- ../.chainsaw-test/good-pod.yaml -- ../.chainsaw-test/good-podcontrollers.yaml -results: -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Pod - resources: - - badpod01 - result: fail -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Deployment - resources: - - baddeploy01 - result: fail -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: CronJob - resources: - - badcronjob01 - result: fail -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: Deployment - resources: - - gooddeploy01 - - gooddeploy02 - result: pass -- policy: prevent-linkerd-pod-injection-override - rule: pod-injection-override - kind: CronJob - resources: - - goodcronjob01 - - goodcronjob02 - result: pass \ No newline at end of file diff --git a/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml b/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml index b21287453..05cdd4338 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml +++ b/linkerd/prevent-linkerd-pod-injection-override/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Linkerd" kyverno/subject: "Pod" -digest: 054fa2bf433cf978fc7cbc5e846f4f4851a9fc1293a57aa5064d3a6af7e65c0d +digest: f53f4954cf983e1ffd47faf03c76fa07ca01cc2a3d3ac2118c5f77f12e6abbf7 diff --git a/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml b/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml index fadc62b8a..8b608b408 100644 --- a/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml +++ b/linkerd/prevent-linkerd-pod-injection-override/prevent-linkerd-pod-injection-override.yaml @@ -13,7 +13,7 @@ metadata: security and visibility. This policy prevents setting the annotation `linkerd.io/inject` to `disabled` for Pods. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: pod-injection-override diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml index 89f2c4e1b..730df5cbc 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-pod.yaml @@ -3,23 +3,23 @@ kind: Pod metadata: annotations: foo: bar - config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-inbound-ports: true name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 kind: Pod metadata: annotations: - config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-outbound-ports: true foo: bar name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -27,10 +27,10 @@ kind: Pod metadata: annotations: foo: bar - config.linkerd.io/skip-outbound-ports: "true" - config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-inbound-ports: true name: badpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml index c0ca58e47..f414b7893 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/bad-podcontrollers.yaml @@ -15,11 +15,11 @@ spec: app: busybox annotations: foo: bar - config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-inbound-ports: true spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -37,12 +37,12 @@ spec: labels: app: busybox annotations: - config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-outbound-ports: true foo: bar spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -61,12 +61,12 @@ spec: app: busybox annotations: foo: bar - config.linkerd.io/skip-inbound-ports: "true" - config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-inbound-ports: true + config.linkerd.io/skip-outbound-ports: true spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -79,12 +79,12 @@ spec: template: metadata: annotations: - config.linkerd.io/skip-outbound-ports: "true" + config.linkerd.io/skip-outbound-ports: true foo: bar spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -102,11 +102,11 @@ spec: metadata: annotations: foo: bar - config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-inbound-ports: true spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -124,12 +124,12 @@ spec: metadata: annotations: foo: bar - config.linkerd.io/skip-outbound-ports: "true" - config.linkerd.io/skip-inbound-ports: "true" + config.linkerd.io/skip-outbound-ports: true + config.linkerd.io/skip-inbound-ports: true spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 5e3757418..538df5440 100755 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: prevent-linkerd-port-skipping status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml index 57e85e207..a91b8d540 100755 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../prevent-linkerd-port-skipping.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-linkerd-port-skipping - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../prevent-linkerd-port-skipping.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: bad-podcontrollers.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: prevent-linkerd-port-skipping diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml index 6df9f3bcc..feddec893 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-pod.yaml @@ -4,7 +4,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -15,6 +15,6 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml index 9d7fe6099..d1605961a 100644 --- a/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml +++ b/linkerd/prevent-linkerd-port-skipping/.chainsaw-test/good-podcontrollers.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -38,7 +38,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -49,13 +49,10 @@ spec: jobTemplate: spec: template: - metadata: - labels: - app: busybox spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" @@ -76,7 +73,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: - "sleep" - "3600" diff --git a/linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml b/linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 3eef768b6..000000000 --- a/linkerd/prevent-linkerd-port-skipping/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-linkerd-port-skipping -policies: -- ../prevent-linkerd-port-skipping.yaml -resources: -- ../.chainsaw-test/bad-pod.yaml -- ../.chainsaw-test/bad-podcontrollers.yaml -- ../.chainsaw-test/good-pod.yaml -- ../.chainsaw-test/good-podcontrollers.yaml -results: -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Pod - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Deployment - resources: - - baddeploy01 - - baddeploy02 - - baddeploy03 - result: fail -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: CronJob - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - result: fail -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: Deployment - resources: - - gooddeploy01 - - gooddeploy02 - result: pass -- policy: prevent-linkerd-port-skipping - rule: pod-prevent-port-skipping - kind: CronJob - resources: - - goodcronjob01 - - goodcronjob02 - result: pass - diff --git a/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml b/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml index a44ee21be..5fffbddde 100644 --- a/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml +++ b/linkerd/prevent-linkerd-port-skipping/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Linkerd" kyverno/subject: "Pod" -digest: 2afea901b654630b7006cfad1b1f90304418bb111d468576be735129d93a5778 +digest: eb06dd1a5965de97c84c7ca4f46d77a3d231600340a6f6f6f3369331d5fc0edc diff --git a/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml b/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml index ec56544e8..7505e1f52 100644 --- a/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml +++ b/linkerd/prevent-linkerd-port-skipping/prevent-linkerd-port-skipping.yaml @@ -13,7 +13,7 @@ metadata: generally should be avoided. This policy prevents Pods from setting the annotations `config.linkerd.io/skip-inbound-ports` or `config.linkerd.io/skip-outbound-ports`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: pod-prevent-port-skipping diff --git a/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8b24c872b..0a6966bd9 100755 --- a/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: require-linkerd-mesh-injection status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml b/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml index 8c5b31e2a..c8227a2a0 100755 --- a/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/require-linkerd-mesh-injection/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-linkerd-mesh-injection.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-linkerd-mesh-injection - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-linkerd-mesh-injection.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: bad-ns.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-linkerd-mesh-injection diff --git a/linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml b/linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8c009f0b0..000000000 --- a/linkerd/require-linkerd-mesh-injection/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-linkerd-mesh-injection -policies: -- ../require-linkerd-mesh-injection.yaml -resources: -- ../.chainsaw-test/bad-ns.yaml -- ../.chainsaw-test/good-ns.yaml -results: -- policy: require-linkerd-mesh-injection - rule: require-mesh-annotation - kind: Namespace - resources: - - ld-meshinj-badns01 - - ld-meshinj-badns02 - - ld-meshinj-badns03 - result: fail -- policy: require-linkerd-mesh-injection - rule: require-mesh-annotation - kind: Namespace - resources: - - ld-meshinj-goodns01 - - ld-meshinj-goodns02 - result: pass - diff --git a/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml b/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml index 7eb59ea60..3a4b5a7c3 100644 --- a/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml +++ b/linkerd/require-linkerd-mesh-injection/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Linkerd" kyverno/subject: "Namespace, Annotation" -digest: 122ef3bc84488331c83eb1217f64e9371023914f3a249a380539a9857c625048 +digest: 284e774c36aae48ee175b4388c792d073897fd6e5df3645ce65682d441a35877 diff --git a/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml b/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml index 822a0b307..9026c2f11 100644 --- a/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml +++ b/linkerd/require-linkerd-mesh-injection/require-linkerd-mesh-injection.yaml @@ -12,7 +12,7 @@ metadata: setting the annotation `linkerd.io/inject` to `enabled`. This policy enforces that all Namespaces contain the annotation `linkerd.io/inject` set to `enabled`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-mesh-annotation diff --git a/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml b/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml index f134b5900..33990a027 100644 --- a/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml +++ b/linkerd/require-linkerd-server/.chainsaw-test/bad-deploy.yaml @@ -16,9 +16,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 --- @@ -40,8 +40,8 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml index d064a4759..f23d8af71 100755 --- a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: require-linkerd-server status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml index 5021a7cb9..5fe62a4b8 100755 --- a/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml +++ b/linkerd/require-linkerd-server/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,18 +11,9 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: permissions.yaml - - apply: - file: ../require-linkerd-server.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-linkerd-server - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-linkerd-server.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -46,3 +36,10 @@ spec: - check: ($error != null): true file: bad-svc.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-linkerd-server diff --git a/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml b/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml index cb96cc7d9..f4a6365b5 100644 --- a/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml +++ b/linkerd/require-linkerd-server/.chainsaw-test/good-deploy.yaml @@ -16,9 +16,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 --- @@ -40,11 +40,11 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -64,6 +64,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml b/linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml deleted file mode 100644 index 64658abb5..000000000 --- a/linkerd/require-linkerd-server/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:linkerd:server - labels: - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - policy.linkerd.io - resources: - - servers - verbs: - - get - - list - - watch diff --git a/linkerd/require-linkerd-server/artifacthub-pkg.yml b/linkerd/require-linkerd-server/artifacthub-pkg.yml index 248d6b4f3..f6cfb2140 100644 --- a/linkerd/require-linkerd-server/artifacthub-pkg.yml +++ b/linkerd/require-linkerd-server/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Linkerd" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Deployment, Server" -digest: bd855cb303add805e796aa91569f7f8708ba6ed901c1ff61766113fe4850596f +digest: 48fc0973e425cb8e28ef82dc9c1be59f49b80850be42ba62189bcb5235e90278 diff --git a/linkerd/require-linkerd-server/require-linkerd-server.yaml b/linkerd/require-linkerd-server/require-linkerd-server.yaml index 770000c51..87234a391 100644 --- a/linkerd/require-linkerd-server/require-linkerd-server.yaml +++ b/linkerd/require-linkerd-server/require-linkerd-server.yaml @@ -17,7 +17,7 @@ metadata: Deployments (exposing ports) and Services to ensure a corresponding Server resource exists first. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-deployment-has-server diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index f8d331033..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-ingress-nginx-custom-snippets -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-ingress-nginx-custom-snippets.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: cm-good.yaml - - apply: - file: ig-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cm-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: ig-bad.yaml diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml deleted file mode 100644 index 177ac0678..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - name: config-map-true diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml deleted file mode 100644 index 6ec1541ac..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-good.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -data: - allow-snippet-annotations: "false" -kind: ConfigMap -metadata: - name: config-map-false ---- -apiVersion: v1 -data: - random: "someval" -kind: ConfigMap -metadata: - name: config-map-other ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-map-empty \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml deleted file mode 100644 index 82c289e7c..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-bad.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-snippets - annotations: - foo: bar - nginx.org/server-snippet: | - location / { - return 302 /coffee; - } - nginx.org/location-snippet: | - add_header my-test-header test-value; -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress - annotations: - nginx.org/server-snippet: | - location / { - return 302 /coffee; - } - nginx.org/location-snippet: | - add_header my-test-header test-value; - foo: bar -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml deleted file mode 100644 index 37a7cec08..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/ig-good.yaml +++ /dev/null @@ -1,50 +0,0 @@ - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-snippets - annotations: - foo: bar -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 22580bde4..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-ingress-nginx-custom-snippets -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index d668087bf..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow_nginx_custom_snippets -policies: -- ../disallow-ingress-nginx-custom-snippets.yaml -resources: -- resources.yaml -results: -- kind: ConfigMap - policy: disallow-ingress-nginx-custom-snippets - resources: - - config-map-true - result: fail - rule: check-config-map -- kind: ConfigMap - policy: disallow-ingress-nginx-custom-snippets - resources: - - config-map-false - - config-map-other - - config-map-empty - result: pass - rule: check-config-map -- kind: Ingress - policy: disallow-ingress-nginx-custom-snippets - resources: - - cafe-ingress-with-snippets - result: fail - rule: check-ingress-annotations -- kind: Ingress - policy: disallow-ingress-nginx-custom-snippets - resources: - - cafe-ingress - result: pass - rule: check-ingress-annotations diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml deleted file mode 100644 index 062f1f953..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.kyverno-test/resources.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: v1 -data: - allow-snippet-annotations: "false" -kind: ConfigMap -metadata: - name: config-map-false ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - name: config-map-true ---- -apiVersion: v1 -data: - random: "someval" -kind: ConfigMap -metadata: - name: config-map-other ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: config-map-empty ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-snippets - annotations: - nginx.org/server-snippet: | - location / { - return 302 /coffee; - } - nginx.org/location-snippet: | - add_header my-test-header test-value; -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml deleted file mode 100644 index 275f91434..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-ingress-nginx-custom-snippets-cel -version: 1.0.0 -displayName: Disallow Custom Snippets in CEL expressions -description: >- - Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml - ``` -keywords: - - kyverno - - Security - - NGINX Ingress - - CEL Expressions -readme: | - Users that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster (CVE-2021-25742). This policy disables allow-snippet-annotations in the ingress-nginx configuration and blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security, NGINX Ingress in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ConfigMap, Ingress" -digest: 461b5ea917b380efcf272d0ac6ab2d8f4ceaa6d8c3b0b71efad5a7b23d10ae99 -createdAt: "2024-05-21T16:14:12Z" diff --git a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml deleted file mode 100644 index b8bf7d365..000000000 --- a/nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-ingress-nginx-custom-snippets - annotations: - policies.kyverno.io/title: Disallow Custom Snippets in CEL expressions - policies.kyverno.io/category: Security, NGINX Ingress in CEL - policies.kyverno.io/subject: ConfigMap, Ingress - policies.kyverno.io/minversion: "1.11.0" - kyverno.io/kyverno-version: "1.11.0" - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Users that can create or update ingress objects can use the custom snippets - feature to obtain all secrets in the cluster (CVE-2021-25742). This policy - disables allow-snippet-annotations in the ingress-nginx configuration and - blocks *-snippet annotations on an Ingress. - See: https://github.com/kubernetes/ingress-nginx/issues/7837 -spec: - validationFailureAction: Enforce - rules: - - name: check-config-map - match: - any: - - resources: - kinds: - - ConfigMap - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.?data[?'allow-snippet-annotations'].orValue('false') == 'false'" - message: "ingress-nginx allow-snippet-annotations must be set to false" - - name: check-ingress-annotations - match: - any: - - resources: - kinds: - - networking.k8s.io/v1/Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.endsWith('-snippet'))" - message: "ingress-nginx custom snippets are not allowed" - diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 587740382..000000000 --- a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-annotations -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-annotations.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ig-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ig-bad.yaml diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml deleted file mode 100644 index fd98e54ca..000000000 --- a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-bad.yaml +++ /dev/null @@ -1,129 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-snippets - annotations: - nginx.org/bad: "alias; " -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-snippets - annotations: - nginx.org/bad: " root ;" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: etc-passwd - annotations: - nginx.org/bad: "/etc/passwd" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: var-run-secrets - annotations: - nginx.org/bad: "/var/run/secrets" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: lua - annotations: - nginx.org/bad: "*! _by_lua 8010-191091" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml deleted file mode 100644 index 1f0b3a8ec..000000000 --- a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/ig-good.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-snippets - annotations: - nginx.org/good: "value" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 6f095d506..000000000 --- a/nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-annotations -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 231768b29..000000000 --- a/nginx-ingress-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-annotations -policies: -- ../restrict-annotations.yaml -resources: -- resources.yaml -results: -- kind: Ingress - policy: restrict-annotations - resources: - - alias - - root - - etc-passwd - - var-run-secrets - - lua - result: fail - rule: check-ingress -- kind: Ingress - policy: restrict-annotations - resources: - - no-annotations - - good-annotations - result: pass - rule: check-ingress diff --git a/nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml b/nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml deleted file mode 100644 index ed12c4972..000000000 --- a/nginx-ingress-cel/restrict-annotations/.kyverno-test/resources.yaml +++ /dev/null @@ -1,180 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: no-annotations -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: good-annotations - annotations: - nginx.org/good: "value" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: alias - annotations: - nginx.org/bad: "alias; " -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: root - annotations: - nginx.org/bad: " root ;" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: etc-passwd - annotations: - nginx.org/bad: "/etc/passwd" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: var-run-secrets - annotations: - nginx.org/bad: "/var/run/secrets" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: lua - annotations: - nginx.org/bad: "*! _by_lua 8010-191091" -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml deleted file mode 100644 index f56be90e7..000000000 --- a/nginx-ingress-cel/restrict-annotations/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-annotations-cel -version: 1.0.0 -displayName: Restrict NGINX Ingress annotation values in CEL expressions -description: >- - This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml - ``` -keywords: - - kyverno - - Security - - NGINX Ingress - - CEL Expressions -readme: | - This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security, NGINX Ingress in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: 1d65f2c381b323065215afcbc0c0dfaf42b5a3485c4b90ad8dd5035a6f331914 -createdAt: "2024-05-22T06:47:38Z" diff --git a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml b/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml deleted file mode 100644 index cf61a4ac9..000000000 --- a/nginx-ingress-cel/restrict-annotations/restrict-annotations.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-annotations - annotations: - policies.kyverno.io/title: Restrict NGINX Ingress annotation values in CEL expressions - policies.kyverno.io/category: Security, NGINX Ingress in CEL - policies.kyverno.io/severity: high - policies.kyverno.io/subject: Ingress - policies.kyverno.io/minversion: "1.11.0" - kyverno.io/kyverno-version: "1.11.0" - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. - See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. - This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the - "annotation-value-word-blocklist" configuration setting is also recommended. - Please refer to the CVE for details. -spec: - validationFailureAction: Enforce - rules: - - name: check-ingress - match: - any: - - resources: - kinds: - - networking.k8s.io/v1/Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !has(object.metadata.annotations) || - ( - !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('\\s*alias\\s*.*;')) && - !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('\\s*root\\s*.*;')) && - !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('/etc/(passwd|shadow|group|nginx|ingress-controller)')) && - !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('/var/run/secrets')) && - !object.metadata.annotations.exists(annotation, object.metadata.annotations[annotation].matches('.*_by_lua.*')) - ) - message: "spec.rules[].http.paths[].path value is not allowed" - diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 1a716aa8c..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-ingress-paths -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-ingress-paths.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ig-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ig-bad.yaml diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml deleted file mode 100644 index b3874294d..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml +++ /dev/null @@ -1,85 +0,0 @@ - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-root -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /root - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-secrets -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /var/run/secrets - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-etc-kubernetes -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /etc/kubernetes/admin.conf - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-serviceaccount -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /var/run/kubernetes/serviceaccount - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-etc -spec: - rules: - - host: example.com - http: - paths: - - path: /etc/config - pathType: Prefix - backend: - service: - name: nginx-service - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml deleted file mode 100644 index a0d35da2b..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/ig-good.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: good-paths -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml b/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 9d92cb157..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-paths -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index bde8a7d90..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-annotations -policies: -- ../restrict-ingress-paths.yaml -resources: -- resources.yaml -results: -- kind: Ingress - policy: restrict-ingress-paths - resources: - - bad-path-root - - bad-path-etc - - bad-path-etc-kubernetes - - bad-path-serviceaccount - - bad-path-secrets - result: fail - rule: check-paths -- kind: Ingress - policy: restrict-ingress-paths - resources: - - good-paths - result: pass - rule: check-paths diff --git a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml b/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml deleted file mode 100644 index f413946e8..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/.kyverno-test/resources.yaml +++ /dev/null @@ -1,109 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: good-paths -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-root -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /root - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-secrets -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /var/run/secrets - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-etc-kubernetes -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /etc/kubernetes/admin.conf - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-serviceaccount -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /var/run/kubernetes/serviceaccount - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-etc -spec: - rules: - - host: example.com - http: - paths: - - path: /etc/config - pathType: Prefix - backend: - service: - name: nginx-service - port: - number: 80 \ No newline at end of file diff --git a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml deleted file mode 100644 index 29e399bc6..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-ingress-paths-cel -version: 1.0.0 -displayName: Restrict NGINX Ingress path values in CEL expressions -description: >- - This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml - ``` -keywords: - - kyverno - - Security - - NGINX Ingress - - CEL Expressions -readme: | - This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security, NGINX Ingress in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: 27e33a96f483688a088cd64017dd8c69ab2677e53f7a66b95a804c897f104755 -createdAt: "2024-05-22T07:13:08Z" diff --git a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml deleted file mode 100644 index f65692e8f..000000000 --- a/nginx-ingress-cel/restrict-ingress-paths/restrict-ingress-paths.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-paths - annotations: - policies.kyverno.io/title: Restrict NGINX Ingress path values in CEL expressions - policies.kyverno.io/category: Security, NGINX Ingress in CEL - policies.kyverno.io/severity: high - policies.kyverno.io/subject: Ingress - policies.kyverno.io/minversion: "1.11.0" - kyverno.io/kyverno-version: "1.11.0" - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. - Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. - Please refer to the CVE for details. -spec: - validationFailureAction: Enforce - rules: - - name: check-paths - match: - any: - - resources: - kinds: - - networking.k8s.io/v1/Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?rules.orValue([]).all(rule, - rule.?http.?paths.orValue([]).all(p, - !p.path.contains('/etc') && !p.path.contains('/var/run/secrets') && - !p.path.contains('/root') && !p.path.contains('/var/run/kubernetes/serviceaccount') && - !p.path.contains('/etc/kubernetes/admin.conf'))) - message: "spec.rules[].http.paths[].path value is not allowed" - diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml index f8d331033..18634115c 100755 --- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml +++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml index 22580bde4..8419e2c67 100644 --- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml +++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-ingress-nginx-custom-snippets status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml index 7c6e08872..e6fb8f915 100644 --- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml +++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, NGINX Ingress" kyverno/kubernetesVersion: "1.23" kyverno/subject: "ConfigMap, Ingress" -digest: 96d31faa4e116027b69e70a654f0d7847d7ea2724ea439d8318550466db86921 +digest: f82c858055d25ed42fa4ec3104c73e59eb17411d06ee65eb78f6063497785e57 diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml index e0b40d881..84f3d0dd3 100644 --- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml +++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/disallow-ingress-nginx-custom-snippets.yaml @@ -16,7 +16,7 @@ metadata: blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 spec: - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: check-config-map match: diff --git a/nginx-ingress/restrict-annotations/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress/restrict-annotations/.chainsaw-test/chainsaw-test.yaml index 587740382..a2b4c1a1d 100755 --- a/nginx-ingress/restrict-annotations/.chainsaw-test/chainsaw-test.yaml +++ b/nginx-ingress/restrict-annotations/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml b/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml index 6f095d506..3e2289190 100644 --- a/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml +++ b/nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-annotations status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/nginx-ingress/restrict-annotations/artifacthub-pkg.yml b/nginx-ingress/restrict-annotations/artifacthub-pkg.yml index 8c325748e..f5d3f217b 100644 --- a/nginx-ingress/restrict-annotations/artifacthub-pkg.yml +++ b/nginx-ingress/restrict-annotations/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, NGINX Ingress" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Ingress" -digest: 9bac2f494b4566ef2c9422e7486e3331123e70ba1f7b246442f08078994f6bf0 +digest: 6618fb9e85f16298c93bea7acde1bd85f18457056733a861d73e555f8b935a1d diff --git a/nginx-ingress/restrict-annotations/restrict-annotations.yaml b/nginx-ingress/restrict-annotations/restrict-annotations.yaml index f7f9bd09d..091737f32 100644 --- a/nginx-ingress/restrict-annotations/restrict-annotations.yaml +++ b/nginx-ingress/restrict-annotations/restrict-annotations.yaml @@ -17,7 +17,7 @@ metadata: "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. spec: - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: check-ingress match: diff --git a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml index 1a716aa8c..ba47ef589 100755 --- a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml +++ b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml index b3874294d..b3d09bddb 100644 --- a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml +++ b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/ig-bad.yaml @@ -36,7 +36,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: bad-path-etc-kubernetes + name: bad-path-etc spec: rules: - host: cafe.example.com @@ -64,22 +64,5 @@ spec: backend: service: name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-etc -spec: - rules: - - host: example.com - http: - paths: - - path: /etc/config - pathType: Prefix - backend: - service: - name: nginx-service port: number: 80 \ No newline at end of file diff --git a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml index 9d92cb157..d172b2aef 100644 --- a/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml +++ b/nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-ingress-paths status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml b/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml index bde8a7d90..c57aa2a7e 100644 --- a/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml +++ b/nginx-ingress/restrict-ingress-paths/.kyverno-test/kyverno-test.yaml @@ -12,7 +12,6 @@ results: resources: - bad-path-root - bad-path-etc - - bad-path-etc-kubernetes - bad-path-serviceaccount - bad-path-secrets result: fail diff --git a/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml b/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml index f413946e8..849b672e9 100644 --- a/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml +++ b/nginx-ingress/restrict-ingress-paths/.kyverno-test/resources.yaml @@ -60,7 +60,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: bad-path-etc-kubernetes + name: bad-path-etc spec: rules: - host: cafe.example.com @@ -88,22 +88,5 @@ spec: backend: service: name: tea-svc - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bad-path-etc -spec: - rules: - - host: example.com - http: - paths: - - path: /etc/config - pathType: Prefix - backend: - service: - name: nginx-service port: number: 80 \ No newline at end of file diff --git a/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml b/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml index 1de37b67f..ce23817b0 100644 --- a/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml +++ b/nginx-ingress/restrict-ingress-paths/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, NGINX Ingress" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Ingress" -digest: 79b9bb86e578c074e99337e99a4f3615c16b131eb67a8e1171aa709c80d4ea46 +digest: ab86ab56e2f637eb204896effe8bde24dc297efa7dd7557bbb497f01b364518e diff --git a/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml b/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml index d086a9dfd..c4d9d5353 100644 --- a/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml +++ b/nginx-ingress/restrict-ingress-paths/restrict-ingress-paths.yaml @@ -15,7 +15,7 @@ metadata: Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. spec: - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: check-paths match: diff --git a/openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 14b19b50c..000000000 --- a/openshift-cel/check-routes/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: check-routes -spec: - steps: - - name: step-01 - try: - - apply: - file: ../check-routes.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: route-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: route-bad.yaml diff --git a/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml b/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 195282bec..000000000 --- a/openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-routes -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/openshift-cel/check-routes/.chainsaw-test/route-bad.yaml b/openshift-cel/check-routes/.chainsaw-test/route-bad.yaml deleted file mode 100644 index 9411e209e..000000000 --- a/openshift-cel/check-routes/.chainsaw-test/route-bad.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: hello-openshift-http -spec: - host: hello-openshift-hello-openshift.mydomain - port: - targetPort: 8080 - to: - kind: Service - name: hello-openshift ---- \ No newline at end of file diff --git a/openshift-cel/check-routes/.chainsaw-test/route-good.yaml b/openshift-cel/check-routes/.chainsaw-test/route-good.yaml deleted file mode 100644 index c9ee97efe..000000000 --- a/openshift-cel/check-routes/.chainsaw-test/route-good.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: frontend -spec: - host: www.example.com - to: - kind: Service - name: frontend - tls: - termination: reencrypt - key: |- - -----BEGIN PRIVATE KEY----- - [...] - -----END PRIVATE KEY----- - certificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- - caCertificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- - destinationCACertificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: frontend-edge -spec: - host: www.example.com - to: - kind: Service - name: frontend - tls: - termination: edge - key: |- - -----BEGIN PRIVATE KEY----- - [...] - -----END PRIVATE KEY----- - certificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- - caCertificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: route-passthrough-secured -spec: - host: www.example.com - port: - targetPort: 8080 - tls: - termination: passthrough - insecureEdgeTerminationPolicy: None - to: - kind: Service - name: frontend diff --git a/openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml b/openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index caf9d781b..000000000 --- a/openshift-cel/check-routes/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-routes -policies: -- ../check-routes.yaml -resources: -- resources.yaml -results: -- kind: Route - policy: check-routes - resources: - - hello-openshift-http - result: fail - rule: require-tls-routes -- kind: Route - policy: check-routes - resources: - - frontend - - frontend-edge - - route-passthrough-secured - result: pass - rule: require-tls-routes diff --git a/openshift-cel/check-routes/.kyverno-test/resources.yaml b/openshift-cel/check-routes/.kyverno-test/resources.yaml deleted file mode 100644 index dd21c42b5..000000000 --- a/openshift-cel/check-routes/.kyverno-test/resources.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: hello-openshift-http -spec: - host: hello-openshift-hello-openshift.mydomain - port: - targetPort: 8080 - to: - kind: Service - name: hello-openshift ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: frontend -spec: - host: www.example.com - to: - kind: Service - name: frontend - tls: - termination: reencrypt - key: |- - -----BEGIN PRIVATE KEY----- - [...] - -----END PRIVATE KEY----- - certificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- - caCertificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- - destinationCACertificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: frontend-edge -spec: - host: www.example.com - to: - kind: Service - name: frontend - tls: - termination: edge - key: |- - -----BEGIN PRIVATE KEY----- - [...] - -----END PRIVATE KEY----- - certificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- - caCertificate: |- - -----BEGIN CERTIFICATE----- - [...] - -----END CERTIFICATE----- ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: route-passthrough-secured -spec: - host: www.example.com - port: - targetPort: 8080 - tls: - termination: passthrough - insecureEdgeTerminationPolicy: None - to: - kind: Service - name: frontend diff --git a/openshift-cel/check-routes/artifacthub-pkg.yml b/openshift-cel/check-routes/artifacthub-pkg.yml deleted file mode 100644 index 2eb85d6da..000000000 --- a/openshift-cel/check-routes/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: check-routes-cel -version: 1.0.0 -displayName: Require TLS routes in OpenShift in CEL expressions -description: >- - HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/check-routes/check-routes.yaml - ``` -keywords: - - kyverno - - OpenShift - - CEL Expressions -readme: | - HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "OpenShift in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Route" -digest: ac5ffb379d599adbf5ec0f2b08c76539b696645f6dee7a05f4b9a75b939243f8 -createdAt: "2024-05-22T07:21:10Z" diff --git a/openshift-cel/check-routes/check-routes.yaml b/openshift-cel/check-routes/check-routes.yaml deleted file mode 100644 index 7ec6e0d43..000000000 --- a/openshift-cel/check-routes/check-routes.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-routes - annotations: - policies.kyverno.io/title: Require TLS routes in OpenShift in CEL expressions - policies.kyverno.io/category: OpenShift in CEL expressions - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Route - policies.kyverno.io/description: |- - HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: require-tls-routes - match: - any: - - resources: - kinds: - - route.openshift.io/v1/Route - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "has(object.spec.tls)" - message: >- - HTTP routes are not allowed. Configure TLS for secure routes. - diff --git a/openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8d17d1927..000000000 --- a/openshift-cel/disallow-deprecated-apis/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-routes -policies: -- ../disallow-deprecated-apis.yaml -resources: -- resources.yaml -results: -- kind: ClusterRole - policy: disallow-deprecated-apis - resources: - - openshift-cluster-role-deprecated - result: fail - rule: check-deprecated-apis -- kind: ClusterRoleBinding - policy: disallow-deprecated-apis - resources: - - openshift-cluster-role-binding-deprecated - result: fail - rule: check-deprecated-apis -- kind: Role - policy: disallow-deprecated-apis - resources: - - openshift-role-deprecated - result: fail - rule: check-deprecated-apis -- kind: RoleBinding - policy: disallow-deprecated-apis - resources: - - openshift-role-binding-deprecated - result: fail - rule: check-deprecated-apis diff --git a/openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml b/openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml deleted file mode 100644 index 5f37e352a..000000000 --- a/openshift-cel/disallow-deprecated-apis/.kyverno-test/resources.yaml +++ /dev/null @@ -1,89 +0,0 @@ -apiVersion: authorization.openshift.io/v1 -kind: ClusterRole -metadata: - name: openshift-cluster-role-deprecated -spec: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: authorization.openshift.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-cluster-role-binding-deprecated -subjects: -- kind: User - name: jane # "name" is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: openshift-cluster-role-deprecated - apiGroup: authorization.openshift.io/v1 ---- -apiVersion: authorization.openshift.io/v1 -kind: Role -metadata: - name: openshift-role-deprecated -spec: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: authorization.openshift.io/v1 -kind: RoleBinding -metadata: - name: openshift-role-binding-deprecated - namespace: default -subjects: -- kind: User - name: jane # "name" is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: openshift-role-deprecated - apiGroup: authorization.openshift.io/v1 ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: openshift-cluster-role-valid -spec: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openshift-cluster-role-binding -subjects: -- kind: User - name: jane # "name" is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: openshift-cluster-role - apiGroup: rbac.authorization.k8s.io/v1 ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: openshift-role -spec: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: openshift-role-binding - namespace: default -subjects: -- kind: User - name: jane # "name" is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: openshift-role - apiGroup: rbac.authorization.k8s.io/v1 diff --git a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml b/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml deleted file mode 100644 index 7cf0c78f2..000000000 --- a/openshift-cel/disallow-deprecated-apis/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: disallow-deprecated-apis-cel -version: 1.0.0 -displayName: Disallow deprecated APIs in CEL expressions -description: >- - OpenShift APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml - ``` -keywords: - - kyverno - - OpenShift - - CEL Expressions -readme: | - OpenShift APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "OpenShift in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC" -digest: 8ca91e6472908c67621b07b800023ff5e93383dbd9fd2d0f90879506cec45dd7 -createdAt: "2024-05-22T07:36:55Z" diff --git a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml b/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml deleted file mode 100644 index 984f03178..000000000 --- a/openshift-cel/disallow-deprecated-apis/disallow-deprecated-apis.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-deprecated-apis - annotations: - policies.kyverno.io/title: Disallow deprecated APIs in CEL expressions - policies.kyverno.io/category: OpenShift in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC - policies.kyverno.io/description: >- - OpenShift APIs are sometimes deprecated and removed after a few releases. - As a best practice, older API versions should be replaced with newer versions. - This policy validates for APIs that are deprecated or scheduled for removal. - Note that checking for some of these resources may require modifying the Kyverno - ConfigMap to remove filters. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-deprecated-apis - match: - any: - - resources: - kinds: - - authorization.openshift.io/v1/ClusterRole - - authorization.openshift.io/v1/ClusterRoleBinding - - authorization.openshift.io/v1/Role - - authorization.openshift.io/v1/RoleBinding - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "false" - messageExpression: >- - object.apiVersion + '/' + object.kind + ' is deprecated.' - diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 4aadc467a..000000000 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-policy -policies: -- ../disallow-jenkins-pipeline-strategy.yaml -resources: -- resources.yaml -results: -- kind: BuildConfig - policy: disallow-jenkins-pipeline-strategy - resources: - - sample-jenkins-pipeline - - sample-jenkins-pipeline-new - result: fail - rule: check-build-strategy -- kind: BuildConfig - policy: disallow-jenkins-pipeline-strategy - resources: - - sample-pipeline-no-jenkins - - sample-pipeline-no-jenkins-new - result: pass - rule: check-build-strategy diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml deleted file mode 100644 index 335e2e20d..000000000 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/.kyverno-test/resources.yaml +++ /dev/null @@ -1,43 +0,0 @@ -kind: "BuildConfig" -apiVersion: "v1" -metadata: - name: "sample-jenkins-pipeline" -spec: - source: - git: - uri: "https://github.com/openshift/ruby-hello-world" - strategy: - jenkinsPipelineStrategy: - jenkinsfilePath: some/repo/dir/filename ---- -kind: "BuildConfig" -apiVersion: "v1" -metadata: - name: "sample-pipeline-no-jenkins" -spec: - source: - git: - uri: "https://github.com/openshift/ruby-hello-world" - strategy: {} ---- -kind: "BuildConfig" -apiVersion: "build.openshift.io/v1" -metadata: - name: "sample-jenkins-pipeline-new" -spec: - source: - git: - uri: "https://github.com/openshift/ruby-hello-world" - strategy: - jenkinsPipelineStrategy: - jenkinsfilePath: some/repo/dir/filename ---- -kind: "BuildConfig" -apiVersion: "build.openshift.io/v1" -metadata: - name: "sample-pipeline-no-jenkins-new" -spec: - source: - git: - uri: "https://github.com/openshift/ruby-hello-world" - strategy: {} diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml b/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml deleted file mode 100644 index 10065d31e..000000000 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: disallow-jenkins-pipeline-strategy-cel -version: 1.0.0 -displayName: Disallow OpenShift Jenkins Pipeline Build Strategy in CEL expressions -description: >- - The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml - ``` -keywords: - - kyverno - - OpenShift - - CEL Expressions -readme: | - The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "OpenShift in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "BuildConfig" -digest: f38131a30e03d633c0745ae181e83c75ae94a180d1e0402a8cba26ccf8088f81 -createdAt: "2024-05-22T09:40:45Z" diff --git a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml b/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml deleted file mode 100644 index 2857aa488..000000000 --- a/openshift-cel/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-jenkins-pipeline-strategy - annotations: - policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy in CEL expressions - policies.kyverno.io/category: OpenShift in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: BuildConfig - policies.kyverno.io/description: >- - The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-build-strategy - match: - any: - - resources: - kinds: - - v1/BuildConfig - - build.openshift.io/v1/BuildConfig - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!has(object.spec.strategy.jenkinsPipelineStrategy)" - message: >- - Jenkins Pipeline Build Strategy has been deprecated and is not allowed - diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2b8304268..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-security-context-constraint-anyuid -spec: - steps: - - name: step-01 - try: - - apply: - file: ../disallow-security-context-constraint-anyuid.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: roles-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: roles-bad.yaml - - apply: - file: clusterroles-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: clusterroles-bad.yaml - - apply: - file: rb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: rb-bad.yaml - - apply: - file: crb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: crb-bad.yaml diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml deleted file mode 100644 index 8c5bdbd84..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-bad.yaml +++ /dev/null @@ -1,34 +0,0 @@ - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: crole-bad01 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: crole-bad02 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - "*" diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml deleted file mode 100644 index e03d3c81d..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: crole-good01 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml deleted file mode 100644 index a3ccd78f9..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-bad.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterrolebinding-bad01 -subjects: -- kind: Group - name: manager - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: system:openshift:scc:anyuid - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml deleted file mode 100644 index b49a62cbf..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/crb-good.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterrolebinding-good01 -subjects: -- kind: Group - name: manager - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 3a862d24f..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-security-context-constraint-anyuid -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml deleted file mode 100644 index 378129584..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-bad.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: rolebinding-bad01 -subjects: -- kind: User - name: dave - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: system:openshift:scc:anyuid - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml deleted file mode 100644 index 811d5d7c2..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/rb-good.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: rolebinding-good01 -subjects: -- kind: User - name: dave - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml deleted file mode 100644 index 984b8cf8b..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-bad.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pod-role-bad01 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: default - name: pod-role-bad02 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - "*" ---- \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml deleted file mode 100644 index 34c8d7a54..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: good-role01 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 36c55e3bf..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-routes -policies: -- ../disallow-security-context-constraint-anyuid.yaml -resources: -- resources.yaml -results: -- kind: ClusterRole - policy: disallow-security-context-constraint-anyuid - resources: - - secret-reader-anyuid-use - - secret-reader-anyuid-all - result: fail - rule: check-security-context-constraint -- kind: Role - policy: disallow-security-context-constraint-anyuid - resources: - - pod-role-anyuid-use - - pod-role-anyuid-all - result: fail - rule: check-security-context-constraint -- kind: ClusterRole - policy: disallow-security-context-constraint-anyuid - resources: - - secret-reader - result: pass - rule: check-security-context-constraint -- kind: Role - policy: disallow-security-context-constraint-anyuid - resources: - - pod-role - result: pass - rule: check-security-context-constraint -- kind: ClusterRoleBinding - policy: disallow-security-context-constraint-anyuid - resources: - - clusterrolebinding-anyuid - result: fail - rule: check-security-context-roleref -- kind: RoleBinding - policy: disallow-security-context-constraint-anyuid - resources: - - rolebinding-anyuid - result: fail - rule: check-security-context-roleref -- kind: ClusterRoleBinding - policy: disallow-security-context-constraint-anyuid - resources: - - clusterrolebinding-test - result: pass - rule: check-security-context-roleref -- kind: RoleBinding - policy: disallow-security-context-constraint-anyuid - resources: - - rolebinding-test - result: pass - rule: check-security-context-roleref diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml deleted file mode 100644 index 0ce3f58be..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/.kyverno-test/resources.yaml +++ /dev/null @@ -1,154 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: default - name: pod-role-anyuid-use -rules: -- apiGroups: [""] # "" indicates the core API group - resources: ["pods"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: default - name: pod-role -rules: -- apiGroups: [""] # "" indicates the core API group - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: default - name: pod-role-anyuid-all -rules: -- apiGroups: [""] # "" indicates the core API group - resources: ["pods"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - "*" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - # "namespace" omitted since ClusterRoles are not namespaced - name: secret-reader-anyuid-use -rules: -- apiGroups: [""] - # - # at the HTTP level, the name of the resource for accessing Secret - # objects is "secrets" - resources: ["secrets"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - # "namespace" omitted since ClusterRoles are not namespaced - name: secret-reader -rules: -- apiGroups: [""] - # - # at the HTTP level, the name of the resource for accessing Secret - # objects is "secrets" - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - # "namespace" omitted since ClusterRoles are not namespaced - name: secret-reader-anyuid-all -rules: -- apiGroups: [""] - # - # at the HTTP level, the name of the resource for accessing Secret - # objects is "secrets" - resources: ["secrets"] - verbs: ["get", "watch", "list"] -- apiGroups: - - security.openshift.io - resourceNames: - - anyuid - resources: - - securitycontextconstraints - verbs: - - "*" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: rolebinding-anyuid - namespace: development -subjects: -- kind: User - name: dave # Name is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: system:openshift:scc:anyuid - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterrolebinding-anyuid -subjects: -- kind: Group - name: manager # Name is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: system:openshift:scc:anyuid - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: rolebinding-test - namespace: development -subjects: -- kind: User - name: dave # Name is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: clusterrolebinding-test -subjects: -- kind: Group - name: manager # Name is case sensitive - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml deleted file mode 100644 index 92fb23206..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: disallow-security-context-constraint-anyuid-cel -version: 1.0.0 -displayName: Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions -description: >- - Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml - ``` -keywords: - - kyverno - - Security - - CEL Expressions -readme: | - Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Role,ClusterRole,RBAC" -digest: 13d430a48c1a18ee97f2e86ad48f5e97f9a188ea3551c6884ff9ee8f1f81e2a6 -createdAt: "2024-05-22T09:53:47Z" diff --git a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml deleted file mode 100644 index fe4b572db..000000000 --- a/openshift-cel/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-security-context-constraint-anyuid - annotations: - policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions - policies.kyverno.io/category: Security in CEL - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Role,ClusterRole,RBAC - policies.kyverno.io/description: >- - Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-security-context-constraint - match: - any: - - resources: - kinds: - - ClusterRole - - Role - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!object.?rules.orValue([]).exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))" - message: >- - Use of the SecurityContextConstraint (SCC) anyuid is not allowed - - name: check-security-context-roleref - match: - any: - - resources: - kinds: - - ClusterRoleBinding - - RoleBinding - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.roleRef.name != 'system:openshift:scc:anyuid'" - message: >- - Use of the SecurityContextConstraint (SCC) anyuid is not allowed - diff --git a/openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml b/openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 2cf4b765d..000000000 --- a/openshift-cel/enforce-etcd-encryption/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-policy -policies: -- ../enforce-etcd-encryption.yaml -resources: -- resources.yaml -results: -- kind: APIServer - policy: enforce-etcd-encryption - resources: - - cluster-no-encryption - result: fail - rule: check-etcd-encryption -- kind: APIServer - policy: enforce-etcd-encryption - resources: - - cluster-with-encryption - result: pass - rule: check-etcd-encryption diff --git a/openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml b/openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml deleted file mode 100644 index 442468ad2..000000000 --- a/openshift-cel/enforce-etcd-encryption/.kyverno-test/resources.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - annotations: - release.openshift.io/create-only: "true" - name: cluster-no-encryption -spec: {} ---- -apiVersion: config.openshift.io/v1 -kind: APIServer -metadata: - annotations: - release.openshift.io/create-only: "true" - name: cluster-with-encryption -spec: - encryption: {} diff --git a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml deleted file mode 100644 index a5198a02d..000000000 --- a/openshift-cel/enforce-etcd-encryption/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: enforce-etcd-encryption-cel -version: 1.0.0 -displayName: Enforce etcd encryption in OpenShift in CEL expressions -description: >- - Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml - ``` -keywords: - - kyverno - - OpenShift - - CEL Expressions -readme: | - Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "OpenShift in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "APIServer" -digest: 293113b4abad7fea2e4d805bc63dc23c8fad9658424353644e501ac5b0abd592 -createdAt: "2024-05-22T10:15:24Z" diff --git a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml b/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml deleted file mode 100644 index 045402624..000000000 --- a/openshift-cel/enforce-etcd-encryption/enforce-etcd-encryption.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: enforce-etcd-encryption - annotations: - policies.kyverno.io/title: Enforce etcd encryption in OpenShift in CEL expressions - policies.kyverno.io/category: OpenShift - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: APIServer - policies.kyverno.io/description: >- - Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: check-etcd-encryption - match: - any: - - resources: - kinds: - - config.openshift.io/v1/APIServer - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "has(object.spec.encryption)" - message: >- - Encryption should be enabled for etcd - diff --git a/openshift/check-routes/.chainsaw-test/chainsaw-test.yaml b/openshift/check-routes/.chainsaw-test/chainsaw-test.yaml index 14b19b50c..c724e4638 100755 --- a/openshift/check-routes/.chainsaw-test/chainsaw-test.yaml +++ b/openshift/check-routes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/openshift/check-routes/.chainsaw-test/policy-ready.yaml b/openshift/check-routes/.chainsaw-test/policy-ready.yaml index 195282bec..7620a92af 100644 --- a/openshift/check-routes/.chainsaw-test/policy-ready.yaml +++ b/openshift/check-routes/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: check-routes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/openshift/check-routes/artifacthub-pkg.yml b/openshift/check-routes/artifacthub-pkg.yml index b865bb722..4667c9650 100644 --- a/openshift/check-routes/artifacthub-pkg.yml +++ b/openshift/check-routes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.20" kyverno/subject: "Route" -digest: 709e81e4c987c6d59650910334ef2a2ab98ac267e690b6d99ac8e6004b3e3e00 +digest: a06ecd563e1cff566a0e9913e8f06275b802a190ed3d5d86f7cdf28b73ad4589 diff --git a/openshift/check-routes/check-routes.yaml b/openshift/check-routes/check-routes.yaml index 8ef5020f0..7b2291fd3 100644 --- a/openshift/check-routes/check-routes.yaml +++ b/openshift/check-routes/check-routes.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: |- HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: require-tls-routes diff --git a/openshift/disallow-deprecated-apis/artifacthub-pkg.yml b/openshift/disallow-deprecated-apis/artifacthub-pkg.yml index 26592afec..361b1c27a 100644 --- a/openshift/disallow-deprecated-apis/artifacthub-pkg.yml +++ b/openshift/disallow-deprecated-apis/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.20" kyverno/subject: "ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC" -digest: fcfa3505149601c824da0ed5507a65f31b879ddffc646aec57e702796353833a +digest: 4632053b784cb8ea4e0959679a3418c429e6a97875c8acea31c62bda9e8c9f8e diff --git a/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml b/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml index e6320cb93..8ad9a7876 100644 --- a/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml +++ b/openshift/disallow-deprecated-apis/disallow-deprecated-apis.yaml @@ -17,7 +17,7 @@ metadata: Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-deprecated-apis diff --git a/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml b/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml index 12b6733d0..427d0f45a 100644 --- a/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml +++ b/openshift/disallow-jenkins-pipeline-strategy/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.20" kyverno/subject: "BuildConfig" -digest: b6c956c992d6427a0caa6d7527d0bc1f69c16b328ecfcde91f2560561927539f +digest: 54d8b6ca2d8a3bb07ef0e84375717f230aa1bbee36d2df8fda5563d8b828da64 diff --git a/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml b/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml index f34271945..e4b6396d4 100644 --- a/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml +++ b/openshift/disallow-jenkins-pipeline-strategy/disallow-jenkins-pipeline-strategy.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-build-strategy diff --git a/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml b/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml index 2b8304268..31ed64659 100755 --- a/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml +++ b/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml b/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml index 3a862d24f..ed6d92cb9 100644 --- a/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml +++ b/openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-security-context-constraint-anyuid status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml b/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml index c951ddc9f..57032ac9b 100644 --- a/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml +++ b/openshift/disallow-security-context-constraint-anyuid/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.20" kyverno/subject: "Role,ClusterRole,RBAC" -digest: aba34bc8844523568b27a380fc30dd2dba1492cb762d114bf2da851a48033c63 +digest: 91f366a8916454b5922e91d99af42db7be144d64bfcab98a6223843fa4e2d9b5 diff --git a/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml b/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml index e0f8ea9ee..c444ed66f 100644 --- a/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml +++ b/openshift/disallow-security-context-constraint-anyuid/disallow-security-context-constraint-anyuid.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-security-context-constraint diff --git a/openshift/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml b/openshift/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml index 46151df5c..541db5110 100755 --- a/openshift/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml +++ b/openshift/disallow-self-provisioner-binding/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml b/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml index 17cd2ac21..d6f5a4f24 100644 --- a/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml +++ b/openshift/disallow-self-provisioner-binding/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-self-provisioner-binding status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/openshift/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml b/openshift/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml index 82b12eb14..8047d0d8c 100644 --- a/openshift/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml +++ b/openshift/disallow-self-provisioner-binding/.kyverno-test/kyverno-test.yaml @@ -11,7 +11,7 @@ results: policy: disallow-self-provisioner-binding resources: - self-provisioners - result: fail + result: pass rule: check-self-provisioner-binding-no-subject - kind: ClusterRoleBinding policy: disallow-self-provisioner-binding diff --git a/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml b/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml index 04b329c03..ad5cdba25 100644 --- a/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml +++ b/openshift/disallow-self-provisioner-binding/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.20" kyverno/subject: "ClusterRoleBinding, RBAC" -digest: a808a91eed3c1a1c44840bd490cec834627a5364c93553850acc335f2ad29613 +digest: 2e683ff1c29e1eddbf59b7a8c1fd1848b6292c5d0a9233089603bbd4e1aacf4a diff --git a/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml b/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml index 8c1fb149f..3f1d56535 100644 --- a/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml +++ b/openshift/disallow-self-provisioner-binding/disallow-self-provisioner-binding.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-self-provisioner-binding-no-subject @@ -32,8 +32,9 @@ spec: value: UPDATE validate: message: >- - Modifying the self-provisioners ClusterRoleBinding is not allowed. - deny: {} + Binding to the self-provisioners cluster role is not allowed. + pattern: + =(subjects): {} - name: check-self-provisioner-binding-with-subject match: any: diff --git a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml index 205b0733a..25e08a873 100644 --- a/openshift/enforce-etcd-encryption/artifacthub-pkg.yml +++ b/openshift/enforce-etcd-encryption/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.20" kyverno/subject: "APIServer" -digest: a25476bbe38e4bac0519d3e0f8320bf32bdd7ebbd115bc016b1b5d927bf2ce56 +digest: 52b34f10d90e6c15782ef1b861c42f0f16618ee7093fc7763fa24758e78c64b3 diff --git a/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml b/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml index 1c21f36fb..e80628525 100644 --- a/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml +++ b/openshift/enforce-etcd-encryption/enforce-etcd-encryption.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- Encryption at rest is a security best practice. This policy ensures encryption is enabled for etcd in OpenShift clusters. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-etcd-encryption diff --git a/openshift/team-validate-ns-name/artifacthub-pkg.yml b/openshift/team-validate-ns-name/artifacthub-pkg.yml index 843c3c912..087dcf5f3 100644 --- a/openshift/team-validate-ns-name/artifacthub-pkg.yml +++ b/openshift/team-validate-ns-name/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Namespace" -digest: 5bf6adc38d0e2a985bcfbd51a1281de127ef37fa05bbe8b48332337657992d68 +digest: 2228cf663cbf371704be6b1ad20e3e293148dbf2d607889f68be80c3154c316b diff --git a/openshift/team-validate-ns-name/team-validate-ns-name.yaml b/openshift/team-validate-ns-name/team-validate-ns-name.yaml index 325825ee9..3ade0eae9 100644 --- a/openshift/team-validate-ns-name/team-validate-ns-name.yaml +++ b/openshift/team-validate-ns-name/team-validate-ns-name.yaml @@ -17,7 +17,7 @@ metadata: This policy denies the creation of a Namespace if the name of the Namespace does not follow a specific naming defined by the cluster admins. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: team-validate-ns-name diff --git a/openshift/unique-routes/artifacthub-pkg.yml b/openshift/unique-routes/artifacthub-pkg.yml index 74edd9612..5aa5b8e0d 100644 --- a/openshift/unique-routes/artifacthub-pkg.yml +++ b/openshift/unique-routes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "OpenShift" kyverno/kubernetesVersion: "1.20" kyverno/subject: "Route" -digest: 9760b98f6bf58e3f1ae5b0c06dd2f47e8b49a47aab992e6c906795877c59fb93 +digest: faa4a7daf6ce438affd93e7807482980eb1eb64098a8224205da1d54758440cc diff --git a/openshift/unique-routes/unique-routes.yaml b/openshift/unique-routes/unique-routes.yaml index e5307919f..0070178ae 100644 --- a/openshift/unique-routes/unique-routes.yaml +++ b/openshift/unique-routes/unique-routes.yaml @@ -16,7 +16,7 @@ metadata: these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Route resource to ensure its hosts are unique to the cluster. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: require-unique-routes diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 19705bdc2..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: advanced-restrict-image-registries -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../advanced-restrict-image-registries.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: advanced-restrict-image-registries - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ns-01.yaml - - apply: - file: ns-02.yaml - - apply: - file: cm.yaml - - name: step-03 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/cm.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/cm.yaml deleted file mode 100755 index fdad1c734..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/cm.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -data: - registries: ghcr.io/ -kind: ConfigMap -metadata: - name: clusterregistries - namespace: default diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-01.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-01.yaml deleted file mode 100755 index 30c99ca14..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-01.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - corp.com/allowed-registries: img.corp.com/ - name: imageregistries-ns01 diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-02.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-02.yaml deleted file mode 100755 index 3a301353b..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-02.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - corp.com/allowed-registries: docker.io/ - name: imageregistries-ns02 diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index d0ccba896..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - namespace: imageregistries-ns01 -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: corp.img.io/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - namespace: imageregistries-ns02 -spec: - initContainers: - - name: busybox01-init - image: corp.img.io/busybox:1.35 - containers: - - name: busybox01 - image: img.corp.com/busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: busybox01-init - image: corp.img.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: ghcr.io/busybox:1.35 ---- \ No newline at end of file diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-good.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 7d9b3714b..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: imageregistries-ns01 -spec: - initContainers: - - name: busybox01-init - image: img.corp.com/busybox:1.35 - # - name: busybox02-init - # image: ghcr.io/busybox:1.35 - containers: - # - name: busybox01 - # image: ghcr.io/busybox:1.35 - - name: busybox02 - image: img.corp.com/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - namespace: imageregistries-ns02 -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: docker.io/busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: ghcr.io/busybox:1.35 \ No newline at end of file diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-bad.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index f2b36e075..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeploy01 - namespace: imageregistries-ns01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox01-init - image: docker.io/busybox:1.35 - - name: busybox02-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: corp.img.io/busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 - namespace: imageregistries-ns02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - name: busybox01-init - image: docker.io/busybox:1.35 - - name: busybox02-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: corp.img.io/busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-good.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 5d4e2d168..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeploy01 - namespace: imageregistries-ns01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox01-init - image: img.corp.com/busybox:1.35 - - name: busybox02-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: img.corp.com/busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 - namespace: imageregistries-ns02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - name: busybox01-init - image: docker.io/busybox:1.35 - - name: busybox02-init - image: ghcr.io/busybox:1.35 - containers: - - name: busybox01 - image: ghcr.io/busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml b/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b0fc37d37..000000000 --- a/other-cel/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: advanced-restrict-image-registries -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml b/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml deleted file mode 100644 index 28cebce1a..000000000 --- a/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: advanced-restrict-image-registries - annotations: - policies.kyverno.io/title: Advanced Restrict Image Registries in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - In instances where a ClusterPolicy defines all the approved image registries - is insufficient, more granular control may be needed to set permitted registries, - especially in multi-tenant use cases where some registries may be based on - the Namespace. This policy shows an advanced version of the Restrict Image Registries - policy which gets a global approved registry from a ConfigMap and, based upon an - annotation at the Namespace level, gets the registry approved for that Namespace. -spec: - validationFailureAction: Audit - background: false - rules: - - name: validate-corp-registries - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: clusterregistries - namespace: default - parameterNotFoundAction: Deny - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - - name: nsregistries - expression: >- - namespaceObject.metadata.?annotations[?'corp.com/allowed-registries'].orValue(' ') - - name: clusterregistries - expression: "params.data[?'registries'].orValue(' ')" - expressions: - - expression: "variables.allContainers.all(container, container.image.startsWith(variables.nsregistries) || container.image.startsWith(variables.clusterregistries))" - message: This Pod names an image that is not from an approved registry. - diff --git a/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml b/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml deleted file mode 100644 index 991b00cee..000000000 --- a/other-cel/advanced-restrict-image-registries/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: advanced-restrict-image-registries-cel -version: 1.0.0 -displayName: Advanced Restrict Image Registries in CEL expressions -description: >- - In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - In instances where a ClusterPolicy defines all the approved image registries is insufficient, more granular control may be needed to set permitted registries, especially in multi-tenant use cases where some registries may be based on the Namespace. This policy shows an advanced version of the Restrict Image Registries policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: affd33e654245f8e62ad872c2ce58b60776ab9b472123c19c6524c1790be414b -createdAt: "2024-04-21T11:03:06Z" - diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index d139ab184..000000000 --- a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: allowed-annotations -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../allowed-annotations.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: allowed-annotations - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 57aa954ae..000000000 --- a/other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - fluxcd.io/cat: meow - name: badpod01 -spec: - containers: - - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - fluxcd.io/foo: bar - name: badpod02 -spec: - containers: - - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - fluxcd.io/bar: foo - foo: bar - name: badpod03 -spec: - containers: - - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - fluxcd.io/bar: foo - fluxcd.io/cow: moo - name: badpod04 -spec: - containers: - - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 64143a246..000000000 --- a/other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - fluxcd.io/cow: ox - fluxcd.io/dog: cat - name: goodpod02 -spec: - containers: - - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - name: goodpod03 -spec: - containers: - - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - fluxcd.io/cow: moo - foo: bar - name: goodpod04 -spec: - containers: - - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index cc5e4b773..000000000 --- a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - foo: bar - fluxcd.io/foo: bar - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - fluxcd.io/cat: meow - fluxcd.io/cow: moo - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - foo: bar - fluxcd.io/foo: bar - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - imagePullPolicy: IfNotPresent - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - fluxcd.io/cat: meow - fluxcd.io/cow: moo - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - imagePullPolicy: IfNotPresent - command: - - "sleep" - - "3600" - restartPolicy: OnFailure - diff --git a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 6b9e18273..000000000 --- a/other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,132 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - foo: bar - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - fluxcd.io/cow: moo - fluxcd.io/dog: bark - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - foo: bar - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - imagePullPolicy: IfNotPresent - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - fluxcd.io/cow: moo - fluxcd.io/dog: bark - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - imagePullPolicy: IfNotPresent - command: - - "sleep" - - "3600" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 - imagePullPolicy: IfNotPresent - command: - - "sleep" - - "3600" - restartPolicy: OnFailure - diff --git a/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b0aa428dc..000000000 --- a/other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: allowed-annotations -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml b/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 4ebfa364c..000000000 --- a/other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: allowed-annotations -policies: -- ../allowed-annotations.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: allowed-annotations - resources: - - badpod01 - result: fail - rule: allowed-fluxcd-annotations -- kind: Pod - policy: allowed-annotations - resources: - - goodpod01 - result: pass - rule: allowed-fluxcd-annotations - diff --git a/other-cel/allowed-annotations/.kyverno-test/resource.yaml b/other-cel/allowed-annotations/.kyverno-test/resource.yaml deleted file mode 100644 index 659009b95..000000000 --- a/other-cel/allowed-annotations/.kyverno-test/resource.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - annotations: - fluxcd.io/bat: flap - corp.com/bar: baz - somethingsimple: else -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: registry.corp/sdf3vhadfa:1.28 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - annotations: - fluxcd.io/dog: bark - corp.com/bar: baz - somethingsimple: else -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: registry.corp/sdf3vhadfa:1.28 ---- diff --git a/other-cel/allowed-annotations/allowed-annotations.yaml b/other-cel/allowed-annotations/allowed-annotations.yaml deleted file mode 100644 index 2e0a7cc42..000000000 --- a/other-cel/allowed-annotations/allowed-annotations.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: allowed-annotations - annotations: - policies.kyverno.io/title: Allowed Annotations in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod, Annotation - policies.kyverno.io/description: >- - Rather than creating a deny list of annotations, it may be more useful - to invert that list and create an allow list which then denies any others. - This policy demonstrates how to allow two annotations with a specific key - name of fluxcd.io/ while denying others that do not meet the pattern. -spec: - validationFailureAction: Audit - background: true - rules: - - name: allowed-fluxcd-annotations - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?annotations.orValue([]).all(annotation, !annotation.contains('fluxcd.io/') || annotation in ['fluxcd.io/cow', 'fluxcd.io/dog']) - message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. - diff --git a/other-cel/allowed-annotations/artifacthub-pkg.yml b/other-cel/allowed-annotations/artifacthub-pkg.yml deleted file mode 100644 index 07a5fa847..000000000 --- a/other-cel/allowed-annotations/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: allowed-annotations-cel -version: 1.0.0 -displayName: Allowed Annotations in CEL expressions -description: >- - Rather than creating a deny list of annotations, it may be more useful to invert that list and create an allow list which then denies any others. This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/allowed-annotations/allowed-annotations.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Rather than creating a deny list of annotations, it may be more useful to invert that list and create an allow list which then denies any others. This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Annotation" -digest: 5853c229a0d206b7b5faa55b55f6b871a3afb0da597d3dcd8c7ea88cf20d83d2 -createdAt: "2024-03-17T14:04:46Z" - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 01a9a8915..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: allowed-pod-priorities -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: cm.yaml - - apply: - file: ns.yaml - - apply: - file: pc.yaml - - apply: - file: ../allowed-pod-priorities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: allowed-podpriorities - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml deleted file mode 100644 index 555b7e5dc..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -data: - pod-priority-ns: "high, medium, low" - no-priority-ns: foo -kind: ConfigMap -metadata: - name: allowed-pod-priorities - namespace: default - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml deleted file mode 100644 index 5a95db206..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: pod-priority-ns ---- -apiVersion: v1 -kind: Namespace -metadata: - name: no-priority-ns - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml deleted file mode 100644 index 817a2a8eb..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/pc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: high -value: 1000000 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." ---- -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: medium -value: 500000 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." ---- -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: low -value: 100000 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." ---- -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: foo -value: 100000 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 38437c267..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: pod-priority-ns -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - namespace: no-priority-ns -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: low - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 311bf32b6..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: pod-priority-ns -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: high ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - namespace: pod-priority-ns -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: low ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 - namespace: no-priority-ns -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: low - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index e8fd9d140..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 - namespace: pod-priority-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - priorityClassName: foo - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 - namespace: pod-priority-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - priorityClassName: foo - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 - namespace: pod-priority-ns -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - priorityClassName: med - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 - namespace: pod-priority-ns -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - priorityClassName: foo - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 05f3c81a4..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 - namespace: pod-priority-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - priorityClassName: high - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 - namespace: no-priority-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - priorityClassName: foo - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 - namespace: pod-priority-ns -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - priorityClassName: medium - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 - namespace: no-priority-ns -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - priorityClassName: foo - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index e6e0cca79..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: allowed-podpriorities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml deleted file mode 100644 index e33fe7984..000000000 --- a/other-cel/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: high-priority -value: 1000000 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." - diff --git a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml b/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml deleted file mode 100644 index 89ce2ee29..000000000 --- a/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: allowed-podpriorities - annotations: - policies.kyverno.io/title: Allowed Pod Priorities in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. - In certain cases where not all users in a cluster are trusted, a malicious user could create Pods - at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy - checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable - PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not - among them, the Pod is blocked. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-pod-priority - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: allowed-pod-priorities - namespace: default - parameterNotFoundAction: Deny - variables: - - name: namespaceName - expression: "namespaceObject.metadata.name" - - name: priorities - expression: "variables.namespaceName in params.data ? params.data[variables.namespaceName].split(', ') : []" - expressions: - - expression: "variables.priorities == [] || object.spec.priorityClassName in variables.priorities" - messageExpression: >- - 'The Pod PriorityClass ' + object.spec.priorityClassName + - ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + - params.data[variables.namespaceName] - diff --git a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml b/other-cel/allowed-pod-priorities/artifacthub-pkg.yml deleted file mode 100644 index a110f285f..000000000 --- a/other-cel/allowed-pod-priorities/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: allowed-pod-priorities-cel -version: 1.0.0 -displayName: Allowed Pod Priorities in CEL expressions -description: >- - A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/allowed-pod-priorities/allowed-pod-priorities.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: fc3abdb001c9cd666cc784d67eb584800a1a5ab357fbf3616dee2c5752e0f805 -createdAt: "2024-03-19T17:20:47Z" - diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 0edd78c5c..000000000 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: block-ephemeral-containers -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../block-ephemeral-containers.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-ephemeral-containers - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: pod.yaml - - apply: - file: podcontrollers.yaml - - name: step-03 - try: - - script: - content: if kubectl debug -it pod01 --image=busybox:1.35 --target=busybox - -n block-ephemeral-ns; then exit 1; else exit 0; fi; - - script: - content: if kubectl debug -it pod02 --image=busybox:1.35 --target=busybox02 - -n block-ephemeral-ns; then exit 1; else exit 0; fi; - - script: - content: if kubectl debug -it pod03 --image=busybox:1.35 --target=busybox - -n block-ephemeral-ns; then exit 1; else exit 0; fi; - - script: - content: if kubectl debug -it $(kubectl get po -n block-ephemeral-ns | grep - deployment01 | awk '{print $1}') --image=busybox:1.35 --target=bb -n block-ephemeral-ns; - then exit 1; else exit 0; fi; - - name: step-98 - try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n block-ephemeral-ns - - script: - content: kubectl delete pods --all --force --grace-period=0 -n block-ephemeral-ns - diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml deleted file mode 100644 index 9881b9cb0..000000000 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: block-ephemeral-ns - diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml deleted file mode 100644 index 7723e89bc..000000000 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/pod.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod01 - namespace: block-ephemeral-ns -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod02 - namespace: block-ephemeral-ns -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod03 - namespace: block-ephemeral-ns -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml deleted file mode 100644 index 645027785..000000000 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: deployment01 - namespace: block-ephemeral-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "300"] - diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 76128fcfc..000000000 --- a/other-cel/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: block-ephemeral-containers -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml b/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 7d1210a48..000000000 --- a/other-cel/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: block-ephemeral-containers -policies: -- ../block-ephemeral-containers.yaml -resources: -- resource.yaml -results: -- policy: block-ephemeral-containers - rule: block-ephemeral-containers - resources: - - goodpod01 - - goodpod02 - - goodpod03 - kind: Pod - result: pass -- policy: block-ephemeral-containers - rule: block-ephemeral-containers - resources: - - badpod01 - - badpod02 - - badpod03 - kind: Pod - result: fail - diff --git a/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml b/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml deleted file mode 100644 index ba498bf1f..000000000 --- a/other-cel/block-ephemeral-containers/.kyverno-test/resource.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - ephemeralContainers: - - name: ephcontainer01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ephemeralContainers: - - name: ephcontainer01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ephemeralContainers: - - name: ephcontainer01 - image: dummyimagename - diff --git a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml b/other-cel/block-ephemeral-containers/artifacthub-pkg.yml deleted file mode 100644 index 40fe2c5a3..000000000 --- a/other-cel/block-ephemeral-containers/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: block-ephemeral-containers-cel -version: 1.0.0 -displayName: Block Ephemeral Containers in CEL expressions -description: >- - Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 9f035b4eb5a4aedeb5c770b03affe6a30a58ee02b79601b2335ead2b0b270f8d -createdAt: "2024-03-20T08:34:56Z" - diff --git a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml deleted file mode 100644 index 57bda33c5..000000000 --- a/other-cel/block-ephemeral-containers/block-ephemeral-containers.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: block-ephemeral-containers - annotations: - policies.kyverno.io/title: Block Ephemeral Containers in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the - `kubectl debug` functionality and attach a temporary container to an existing Pod. - This may potentially be used to gain access to unauthorized information executing inside - one or more containers in that Pod. This policy blocks the use of ephemeral containers. -spec: - validationFailureAction: Audit - background: true - rules: - - name: block-ephemeral-containers - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!has(object.spec.ephemeralContainers)" - message: "Ephemeral (debug) containers are not permitted." - diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index eea78f49c..000000000 --- a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: check-env-vars -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../check-env-vars.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-env-vars - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index d3d1504e8..000000000 --- a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: DISABLE_OPA - value: "true" - - name: foo - value: bar - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "true" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: DISABLE_OPA - value: "true" - - name: foo - value: bar - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "true" - restartPolicy: OnFailure - diff --git a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index 9459e38bc..000000000 --- a/other-cel/check-env-vars/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: DISABLE_OPA - value: "false" - - name: foo - value: bar - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "false" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: DISABLE_OPA - value: "false" - - name: foo - value: bar - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "false" - restartPolicy: OnFailure - diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 078ddbcb6..000000000 --- a/other-cel/check-env-vars/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: DISABLE_OPA - value: "true" ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "true" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: DISABLE_OPA - value: "true" - - name: foo - value: bar ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: badpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: foo - value: bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "true" ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: badpod04 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: DISABLE_OPA - value: "true" ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: badpod05 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: DISABLE_OPA - value: "false" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: DISABLE_OPA - value: "true" - diff --git a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml deleted file mode 100644 index 1ed0f140f..000000000 --- a/other-cel/check-env-vars/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: DISABLE_OPA - value: "false" ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: foo - value: bar - - name: DISABLE_OPA - value: "false" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: foo - value: bar ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: busybox - name: goodpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - diff --git a/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml b/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5775be301..000000000 --- a/other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-env-vars -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 6bcfe92b2..000000000 --- a/other-cel/check-env-vars/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: opa-env -policies: -- ../check-env-vars.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: check-env-vars - resources: - - pod-with-opa-enabled - result: fail - rule: check-disable-opa -- kind: Pod - policy: check-env-vars - resources: - - pod-with-opa-disabled - - pod-without-opa-env - result: pass - rule: check-disable-opa - diff --git a/other-cel/check-env-vars/.kyverno-test/resource.yaml b/other-cel/check-env-vars/.kyverno-test/resource.yaml deleted file mode 100644 index b62815746..000000000 --- a/other-cel/check-env-vars/.kyverno-test/resource.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-opa-disabled - namespace: myservice -spec: - containers: - - env: - - name: DISABLE_OPA - value: "false" - image: quay.io/sdase/sdase-version-collector - name: myservice ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-opa-enabled - namespace: myservice -spec: - containers: - - env: - - name: DISABLE_OPA - value: "true" - image: quay.io/sdase/sdase-version-collector - name: myservice ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod-without-opa-env - namespace: myservice -spec: - containers: - - image: quay.io/sdase/sdase-version-collector - name: myservice - diff --git a/other-cel/check-env-vars/artifacthub-pkg.yml b/other-cel/check-env-vars/artifacthub-pkg.yml deleted file mode 100644 index 1e0f35b2b..000000000 --- a/other-cel/check-env-vars/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: check-env-vars-cel -version: 1.0.0 -displayName: Check Environment Variables in CEL expressions -description: >- - Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-env-vars/check-env-vars.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Environment variables control many aspects of a container's execution and are often the source of many different configuration settings. Being able to ensure that the value of a specific environment variable either is or is not set to a specific string is useful to maintain such controls. This policy checks every container to ensure that if the `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: f44af22c70df6dfca262ce23ad5812d1a65d38073a86f47b8ed3a1d625dcc915 -createdAt: "2024-03-21T13:31:53Z" - diff --git a/other-cel/check-env-vars/check-env-vars.yaml b/other-cel/check-env-vars/check-env-vars.yaml deleted file mode 100644 index 488d01326..000000000 --- a/other-cel/check-env-vars/check-env-vars.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-env-vars - annotations: - policies.kyverno.io/title: Check Environment Variables in CEL expressions - policies.kyverno.io/severity: medium - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/subject: Pod - kyverno.io/kubernetes-version: "1.26-1.27" - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/description: >- - Environment variables control many aspects of a container's execution and are - often the source of many different configuration settings. Being able to ensure that - the value of a specific environment variable either is or is not set to a specific string - is useful to maintain such controls. This policy checks every container to ensure that if the - `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. -spec: - background: true - validationFailureAction: Audit - rules: - - name: check-disable-opa - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !object.spec.containers.exists(container, - container.?env.orValue([]).exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) - message: "DISABLE_OPA must not be set to true." - diff --git a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml deleted file mode 100644 index 1706761b7..000000000 --- a/other-cel/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: check-node-for-cve-2022-0185-cel -version: 1.0.0 -displayName: Check Node for CVE-2022-0185 in CEL expressions -description: >- - Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Node" -digest: d7eef8bbbe1f7e2a624a93520835944c521838364d020c8b14ecd7c52f1d6107 -createdAt: "2024-03-21T14:21:00Z" - diff --git a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml deleted file mode 100644 index 8ab32a1f1..000000000 --- a/other-cel/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-kernel - annotations: - policies.kyverno.io/title: Check Node for CVE-2022-0185 in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Node - policies.kyverno.io/description: >- - Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched. - The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2. - For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185. - This policy runs in background mode and flags an entry in the ClusterPolicyReport - if any Node is reporting one of the affected kernel versions. -spec: - validationFailureAction: Audit - background: true - rules: - - name: kernel-validate - match: - any: - - resources: - kinds: - - Node - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" - message: "Kernel is vulnerable to CVE-2022-0185." - diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml deleted file mode 100644 index 2a6640f04..000000000 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bad-svc-account-02 - namespace: default -secrets: - - name: example-automated-thing-token-zyxwv - diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 2313e8dcd..000000000 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-service-accounts -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - script: - content: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../check-serviceaccount-secrets.yaml | kubectl create -f - - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-svc-account.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-svc-account.yaml - - name: step-99 - try: - - delete: - ref: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: check-serviceaccount-secrets - diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml deleted file mode 100644 index 9aceacc4e..000000000 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: good-svc-account - namespace: default - diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 4e8480426..000000000 --- a/other-cel/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-serviceaccount-secrets -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index a3ca211f3..000000000 --- a/other-cel/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: svc-name -policies: -- ../check-serviceaccount-secrets.yaml -resources: -- resource.yaml -results: -- kind: ServiceAccount - policy: check-serviceaccount-secrets - resources: - - bad-svc-account - result: fail - rule: deny-secrets -- kind: ServiceAccount - policy: check-serviceaccount-secrets - resources: - - good-svc-account - result: pass - rule: deny-secrets - diff --git a/other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml b/other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml deleted file mode 100644 index e2d53b0dc..000000000 --- a/other-cel/check-serviceaccount-secrets/.kyverno-test/resource.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bad-svc-account - namespace: default -secrets: - - name: build-robot-secret ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: good-svc-account - namespace: default - diff --git a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml b/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml deleted file mode 100644 index b28ff7a4d..000000000 --- a/other-cel/check-serviceaccount-secrets/artifacthub-pkg.yaml +++ /dev/null @@ -1,34 +0,0 @@ -name: check-serviceaccount-secrets-cel -version: 1.0.0 -displayName: Check Existence of Secrets in ServiceAccount in CEL expressions -description: >- - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. To distinguish between automatically generated tokens - and manually created ones, Kubernetes checks for a reference from the - ServiceAccount's secrets field. If the Secret is referenced in the secrets - field, it is considered an auto-generated legacy token. These legacy Tokens can - be of security concern and should be audited. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. To distinguish between automatically generated tokens - and manually created ones, Kubernetes checks for a reference from the - ServiceAccount's secrets field. If the Secret is referenced in the secrets - field, it is considered an auto-generated legacy token. These legacy Tokens can - be of security concern and should be audited. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Secret,ServiceAccount" -digest: 8f7e2e179c7e7fe85cbc8cf05c0b7111301836260fc95f0c50cc35d1894a37c3 -createdAt: "2024-03-21T13:47:35Z" - diff --git a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml deleted file mode 100644 index 96ef42b02..000000000 --- a/other-cel/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-serviceaccount-secrets - annotations: - policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts in CEL expressions - policies.kyverno.io/category: Security in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Secret,ServiceAccount - policies.kyverno.io/description: >- - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. To distinguish between automatically generated tokens - and manually created ones, Kubernetes checks for a reference from the - ServiceAccount's secrets field. If the Secret is referenced in the secrets - field, it is considered an auto-generated legacy token. These legacy Tokens can - be of security concern and should be audited. -spec: - validationFailureAction: Audit - background: true - rules: - - name: deny-secrets - match: - any: - - resources: - kinds: - - ServiceAccount - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!has(object.secrets)" - message: "Long-lived API tokens are not allowed." - diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 74dd0c4e8..000000000 --- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: deny-commands-in-exec-probe -spec: - steps: - - name: step-01 - try: - - apply: - file: ../deny-commands-in-exec-probe.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deny-commands-in-exec-probe - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index da23da6e9..000000000 --- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - ls - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - uptime - periodSeconds: 10 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - echo - - foo - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - ps - - aus - periodSeconds: 10 - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index ef63becbe..000000000 --- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - echo - - meow - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - uptime - periodSeconds: 10 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - echo - - meow - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - uptime - periodSeconds: 10 - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 7e212b343..000000000 --- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,106 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - ls - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - uptime - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - ps - - aux - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - jcmd - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - echo - - jcmd - - echo - - hello - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - echo - - $(jcmd) - - echo - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - "echo bar" - - "echo ls foo" - - "echo bar" - periodSeconds: 10 \ No newline at end of file diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml deleted file mode 100644 index 73e835829..000000000 --- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - echo - - meow - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - uptime - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - uptime - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - grpc: - port: 8888 - periodSeconds: 10 \ No newline at end of file diff --git a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml b/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index d6eca0d4d..000000000 --- a/other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deny-commands-in-exec-probe -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/deny-commands-in-exec-probe/.kyverno-test/kyverno-test.yaml b/other-cel/deny-commands-in-exec-probe/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 0e9825553..000000000 --- a/other-cel/deny-commands-in-exec-probe/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: deny-commands-in-exec-probe -policies: -- ../deny-commands-in-exec-probe.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: deny-commands-in-exec-probe - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail - rule: check-commands -- kind: Pod - policy: deny-commands-in-exec-probe - resources: - - goodpod02 - - goodpod03 - result: pass - rule: check-commands -- kind: Pod - policy: deny-commands-in-exec-probe - resources: - - goodpod01 - result: skip - rule: check-commands diff --git a/other-cel/deny-commands-in-exec-probe/.kyverno-test/resource.yaml b/other-cel/deny-commands-in-exec-probe/.kyverno-test/resource.yaml deleted file mode 100644 index 2e3810eb6..000000000 --- a/other-cel/deny-commands-in-exec-probe/.kyverno-test/resource.yaml +++ /dev/null @@ -1,90 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: czjunkfoo - livenessProbe: - exec: - command: - - /bin/sh - - -c - - jcmd | grep Main ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: czjunkfoo - livenessProbe: - exec: - command: - - /bin/sh - - -c - - cat | ls -l ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: czjunkfoo - livenessProbe: - exec: - command: - - /bin/sh - - -c - - echo ps -aux | grep cala ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container02 - image: czjunkfoo - - name: container03 - image: czjunkfoo - livenessProbe: - httpGet: - port: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container04 - image: czjunkfoo - livenessProbe: - exec: - command: - - /bin/sh - - -c - - echo foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container04 - image: czjunkfoo - livenessProbe: - exec: - command: - - /bin/sh - - -c - - env - - name: container05 - image: czjunkfoo diff --git a/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml b/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml deleted file mode 100644 index e84eccb9e..000000000 --- a/other-cel/deny-commands-in-exec-probe/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: deny-commands-in-exec-probe-cel -version: 1.0.0 -displayName: Deny Commands in Exec Probe in CEL expressions -description: >- - Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe. - -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: b6ed61532ebe13187f90525265d4c4b54875dab4300a54fed6f5cc7e826d470d -createdAt: "2024-04-25T18:27:10Z" - diff --git a/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml b/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml deleted file mode 100644 index 45c6e65a8..000000000 --- a/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: kyverno.io/v2beta1 -kind: ClusterPolicy -metadata: - name: deny-commands-in-exec-probe - annotations: - policies.kyverno.io/title: Deny Commands in Exec Probe in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Developers may feel compelled to use simple shell commands as a workaround to - creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged - via detection of those commands. This policy prevents the use of certain commands - `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe. -spec: - validationFailureAction: Audit - background: false - rules: - - name: check-commands - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "check-liveness-probes-commands-exist" - expression: >- - object.spec.containers.exists(container, size(container.?livenessProbe.?exec.?command.orValue([])) > 0) - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - !container.?livenessProbe.?exec.?command.orValue([]).exists(command, - command.matches('\\bjcmd\\b') || command.matches('\\bps\\b') || command.matches('\\bls\\b'))) - message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. - diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml deleted file mode 100644 index 041b05a63..000000000 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: bad-secret - annotations: - kubernetes.io/service-account.name: build-robot -type: kubernetes.io/service-account-token - diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index b6fd9e46a..000000000 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: deny-secret-service-account-token-type -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../deny-secret-service-account-token-type.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deny-secret-service-account-token-type - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-secret.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-secret.yaml - diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml deleted file mode 100644 index 03ae03cfe..000000000 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: good-secret -type: kubernetes.io/basic-auth -stringData: - username: admin - password: t0p-Secret - diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 5501ce375..000000000 --- a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deny-secret-service-account-token-type -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml b/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 5d5cee243..000000000 --- a/other-cel/deny-secret-service-account-token-type/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: deny-secret-service-account-token-type -policies: -- ../deny-secret-service-account-token-type.yaml -resources: -- resource.yaml -results: -- kind: Secret - policy: deny-secret-service-account-token-type - resources: - - bad-secret - result: fail - rule: deny-secret-service-account-token-type -- kind: Secret - policy: deny-secret-service-account-token-type - resources: - - good-secret - result: pass - rule: deny-secret-service-account-token-type - diff --git a/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml b/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml deleted file mode 100644 index a3e3b7240..000000000 --- a/other-cel/deny-secret-service-account-token-type/.kyverno-test/resource.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: bad-secret - annotations: - kubernetes.io/service-account.name: build-robot -type: kubernetes.io/service-account-token ---- -apiVersion: v1 -kind: Secret -metadata: - name: good-secret -type: kubernetes.io/basic-auth -stringData: - username: admin - password: t0p-Secret - diff --git a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml deleted file mode 100644 index 66552de5a..000000000 --- a/other-cel/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: deny-secret-service-account-token-type-cel -version: 1.0.0 -displayName: Deny Secret Service Account Token Type in CEL expressions -description: >- - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. When creating a Secret, you can specify its type using the - type field of the Secret resource . The type kubernetes.io/service-account-token - is used for legacy ServiceAccount tokens . These legacy Tokens can - be of security concern and should be audited. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. When creating a Secret, you can specify its type using the - type field of the Secret resource . The type kubernetes.io/service-account-token - is used for legacy ServiceAccount tokens . These legacy Tokens can - be of security concern and should be audited. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Secret, ServiceAccount" -digest: 16324f38031f70d4a971bde9673ca51e70455478b832a005cbb415ee901f5e56 -createdAt: "2024-03-22T07:40:19Z" - diff --git a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml deleted file mode 100644 index 22453f86f..000000000 --- a/other-cel/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deny-secret-service-account-token-type - annotations: - policies.kyverno.io/title: Deny Secret Service Account Token Type in CEL expressions - policies.kyverno.io/category: Security in CEL - kyverno.io/kubernetes-version: "1.26-1.27" - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Secret, ServiceAccount - policies.kyverno.io/description: >- - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. When creating a Secret, you can specify its type using the - type field of the Secret resource . The type kubernetes.io/service-account-token - is used for legacy ServiceAccount tokens . These legacy Tokens can - be of security concern and should be audited. -spec: - validationFailureAction: Audit - background: true - rules: - - name: deny-secret-service-account-token-type - match: - any: - - resources: - kinds: - - Secret - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.type != 'kubernetes.io/service-account-token'" - message: "Secret ServiceAccount token type is not allowed." - diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 1dba881c9..000000000 --- a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-all-secrets -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../disallow-all-secrets.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: no-secrets - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index a5e772ea5..000000000 --- a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,190 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: foo - value: bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - envFrom: - - secretRef: - name: foo - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - secret: - secretName: foo-secret ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: foo - value: bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - envFrom: - - secretRef: - name: foo - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - secret: - secretName: foo-secret - restartPolicy: OnFailure - diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index cdcb87c24..000000000 --- a/other-cel/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,176 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: foo - value: bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - envFrom: - - configMapRef: - name: foo-bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - configMapRef: - name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - emptyDir: - sizeLimit: 100Mi ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: foo - value: bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - envFrom: - - configMapRef: - name: foo-bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - configMapRef: - name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - emptyDir: - sizeLimit: 100Mi - restartPolicy: OnFailure - diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 1fc669eff..000000000 --- a/other-cel/disallow-all-secrets/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: foo - value: bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - envFrom: - - secretRef: - name: foo - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - secret: - secretName: foo-secret ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - secret: - secretName: foo-secret - diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml deleted file mode 100644 index 4587d5e66..000000000 --- a/other-cel/disallow-all-secrets/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - env: - - name: foo - value: bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - envFrom: - - configMapRef: - name: foo-bar - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - configMapRef: - name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo-vol - emptyDir: - sizeLimit: 100Mi - diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index f9fb06bf8..000000000 --- a/other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-secrets -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 92a1574c1..000000000 --- a/other-cel/disallow-all-secrets/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: no-secrets -policies: -- ../disallow-all-secrets.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: no-secrets - resources: - - default/secret-env-pod - - default/secret-ref-pod - - default/secret-vol-pod - result: fail - rule: secrets-not-from-env-envFrom-and-volumes -- kind: Pod - policy: no-secrets - resources: - - default/good-pod - result: pass - rule: secrets-not-from-env-envFrom-and-volumes - diff --git a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml b/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml deleted file mode 100644 index 868b535ba..000000000 --- a/other-cel/disallow-all-secrets/.kyverno-test/resource.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: secret-env-pod -spec: - containers: - - name: mycontainer - image: redis - env: - - name: SECRET_USERNAME - valueFrom: - secretKeyRef: - name: mysecret - key: username - - name: SECRET_PASSWORD - valueFrom: - secretKeyRef: - name: mysecret - key: password - restartPolicy: Never - ---- -apiVersion: v1 -kind: Pod -metadata: - name: secret-ref-pod -spec: - containers: - - name: test-container - image: registry.k8s.io/busybox - command: [ "/bin/sh", "-c", "env" ] - envFrom: - - secretRef: - name: mysecret - restartPolicy: Never ---- -apiVersion: v1 -kind: Pod -metadata: - name: secret-vol-pod -spec: - volumes: - - name: secret-volume - secret: - secretName: mysecret - containers: - - name: test-container - image: registry.k8s.io/busybox - volumeMounts: - - name: secret-volume - readOnly: true - mountPath: "/etc/secret-volume" ---- -apiVersion: v1 -kind: Pod -metadata: - name: good-pod -spec: - containers: - - name: test-container - image: registry.k8s.io/busybox - diff --git a/other-cel/disallow-all-secrets/artifacthub-pkg.yml b/other-cel/disallow-all-secrets/artifacthub-pkg.yml deleted file mode 100644 index 02f3f2409..000000000 --- a/other-cel/disallow-all-secrets/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-all-secrets-cel -version: 1.0.0 -displayName: Disallow all Secrets in CEL expressions -description: >- - Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-all-secrets/disallow-all-secrets.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Secrets often contain sensitive information which not all Pods need consume. This policy disables the use of all Secrets in a Pod definition. In order to work effectively, this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Secret" -digest: 31ee726bea089a0ea870feb4859b497d51cd976e316571d4b9af08fe81a74785 -createdAt: "2024-03-23T11:14:09Z" - diff --git a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml b/other-cel/disallow-all-secrets/disallow-all-secrets.yaml deleted file mode 100644 index c8a3888f0..000000000 --- a/other-cel/disallow-all-secrets/disallow-all-secrets.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-secrets - annotations: - policies.kyverno.io/title: Disallow all Secrets in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Secrets often contain sensitive information which not all Pods need consume. - This policy disables the use of all Secrets in a Pod definition. In order to work effectively, - this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` - at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. -spec: - validationFailureAction: Audit - rules: - - name: secrets-not-from-env-envFrom-and-volumes - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: >- - object.spec.containers + - object.spec.?initContainers.orValue([]) + - object.spec.?ephemeralContainers.orValue([]) - expressions: - - expression: >- - variables.allContainers.all(container, - container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true))) - message: "No Secrets from env." - - - expression: >- - variables.allContainers.all(container, - container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef))) - message: "No Secrets from envFrom." - - - expression: "object.spec.?volumes.orValue([]).all(volume, !has(volume.secret))" - message: "No Secrets from volumes." - diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 929abb7c9..000000000 --- a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-localhost-services -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../disallow-localhost-services.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: no-localhost-service - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: svc-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: svc-bad.yaml - diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 29d03237f..000000000 --- a/other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-localhost-service -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml deleted file mode 100644 index c3e2722a4..000000000 --- a/other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badsvc01 -spec: - type: ExternalName - externalName: localhost - diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml deleted file mode 100644 index cc1c8774d..000000000 --- a/other-cel/disallow-localhost-services/.chainsaw-test/svc-good.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: nginx - name: goodsvc01 -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 80 - selector: - run: nginx - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: goodsvc02 -spec: - type: NodePort - ports: - - port: 80 - targetPort: 80 - nodePort: 30007 ---- -apiVersion: v1 -kind: Service -metadata: - name: goodsvc03 -spec: - type: ExternalName - externalName: foo.bar.com - diff --git a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 08a0aff38..000000000 --- a/other-cel/disallow-localhost-services/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: no-localhost-service -policies: -- ../disallow-localhost-services.yaml -resources: -- resource.yaml -results: -- kind: Service - policy: no-localhost-service - resources: - - my-service - result: fail - rule: no-localhost-service -- kind: Service - policy: no-localhost-service - resources: - - my-np-service - result: pass - rule: no-localhost-service - diff --git a/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml b/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml deleted file mode 100644 index c7ad17280..000000000 --- a/other-cel/disallow-localhost-services/.kyverno-test/resource.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: my-service -spec: - type: ExternalName - externalName: localhost ---- -apiVersion: v1 -kind: Service -metadata: - name: my-np-service -spec: - type: NodePort - selector: - app: MyApp - ports: - - port: 80 - targetPort: 80 - protocol: TCP - diff --git a/other-cel/disallow-localhost-services/artifacthub-pkg.yml b/other-cel/disallow-localhost-services/artifacthub-pkg.yml deleted file mode 100644 index c4882b0f1..000000000 --- a/other-cel/disallow-localhost-services/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: disallow-localhost-services-cel -version: 1.0.0 -displayName: Disallow Localhost ExternalName Services in CEL expressions -description: >- - A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-localhost-services/disallow-localhost-services.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Service" -digest: 6e294a594d7f369411b8857bfe573822e69dfe6b001fded547fb6edb2c4b7b6a -createdAt: "2024-03-23T12:17:54Z" - diff --git a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml b/other-cel/disallow-localhost-services/disallow-localhost-services.yaml deleted file mode 100644 index 247f5d900..000000000 --- a/other-cel/disallow-localhost-services/disallow-localhost-services.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-localhost-service - annotations: - policies.kyverno.io/title: Disallow Localhost ExternalName Services in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Service - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - A Service of type ExternalName which points back to localhost can potentially be used to exploit - vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName - if the externalName field refers to localhost. -spec: - validationFailureAction: Audit - background: true - rules: - - name: no-localhost-service - match: - any: - - resources: - kinds: - - Service - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.type != 'ExternalName' || object.spec.externalName != 'localhost'" - message: "Service of type ExternalName cannot point to localhost." - diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2bf63b63b..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-secrets-from-env-vars -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../disallow-secrets-from-env-vars.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: secrets-not-from-env-vars - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index 1cb757615..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: foo - value: bar ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: foo - value: bar - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure - diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index b125b872e..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - configMapRef: - name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - configMapRef: - name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - restartPolicy: OnFailure - diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 0e69e9d95..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - envFrom: - - secretRef: - name: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - secretRef: - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - env: - - name: SECRET_BAD - valueFrom: - secretKeyRef: - name: foo - key: pass - diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml deleted file mode 100644 index fae78c24e..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - env: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - envFrom: - - configMapRef: - name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 63270e950..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: secrets-not-from-env-vars -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b0fb70fb4..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: secrets-not-from-env-vars -policies: -- ../disallow-secrets-from-env-vars.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: secrets-not-from-env-vars - resources: - - default/secret-env-pod - - default/secret-ref-pod - result: fail - rule: secrets-not-from-env-vars -- kind: Pod - policy: secrets-not-from-env-vars - resources: - - default/good-pod - result: pass - rule: secrets-not-from-env-vars - diff --git a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml b/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml deleted file mode 100644 index c13f1437a..000000000 --- a/other-cel/disallow-secrets-from-env-vars/.kyverno-test/resource.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: secret-env-pod -spec: - containers: - - name: mycontainer - image: redis - env: - - name: SECRET_USERNAME - valueFrom: - secretKeyRef: - name: mysecret - key: username - - name: SECRET_PASSWORD - valueFrom: - secretKeyRef: - name: mysecret - key: password - restartPolicy: Never - ---- -apiVersion: v1 -kind: Pod -metadata: - name: secret-ref-pod -spec: - containers: - - name: test-container - image: registry.k8s.io/busybox - command: [ "/bin/sh", "-c", "env" ] - envFrom: - - secretRef: - name: mysecret - restartPolicy: Never ---- -apiVersion: v1 -kind: Pod -metadata: - name: good-pod -spec: - containers: - - name: test-container - image: registry.k8s.io/busybox - env: - - name: ENV_VAR_1 - value: "value1" - - name: ENV_VAR_2 - value: "value2" - volumeMounts: - - name: mysecret - mountPath: /mnt/mysecret - volumes: - - name: mysecret - secret: - secretName: mysecret - diff --git a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml deleted file mode 100644 index dc6ebd868..000000000 --- a/other-cel/disallow-secrets-from-env-vars/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: disallow-secrets-from-env-vars-cel -version: 1.0.0 -displayName: Disallow Secrets from Env Vars in CEL expressions -description: >- - Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml - ``` -keywords: - - kyverno - - Sample - - EKS Best Practices - - CEL Expressions -readme: | - Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Secret" -digest: 06a74b9ecec7d3c4bc3adef91fdb8ba33125f3b81c9432bc819505523de24746 -createdAt: "2024-03-24T16:54:45Z" - diff --git a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml deleted file mode 100644 index cd0786c0e..000000000 --- a/other-cel/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: secrets-not-from-env-vars - annotations: - policies.kyverno.io/title: Disallow Secrets from Env Vars in CEL expressions - policies.kyverno.io/category: Sample, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Secrets used as environment variables containing sensitive information may, if not carefully controlled, - be printed in log output which could be visible to unauthorized people and captured in forwarding - applications. This policy disallows using Secrets as environment variables. -spec: - validationFailureAction: Audit - background: true - rules: - - name: secrets-not-from-env-vars - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.containers.all(container, container.?env.orValue([]).all(env, env.?valueFrom.?secretKeyRef.orValue(true)))" - message: "Secrets must be mounted as volumes, not as environment variables." - - expression: "object.spec.containers.all(container, container.?envFrom.orValue([]).all(envFrom, !has(envFrom.secretRef)))" - message: "Secrets must not come from envFrom statements." - diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 524a22b97..000000000 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: docker-socket-requires-label -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../docker-socket-requires-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: docker-socket-check - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index 621006ce2..000000000 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - allow-docker: "false" - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - allow-docker: "false" - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" - restartPolicy: OnFailure - diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index e6ec259aa..000000000 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - allow-docker: "true" - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - allow-docker: "false" - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: foo-vol - hostPath: - path: "/var/foo/bar" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - allow-docker: "true" - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - allow-docker: "false" - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: foo-vol - hostPath: - path: "/var/foo/bar" - restartPolicy: OnFailure - diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 9188bb978..000000000 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - allow-docker: "false" - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: foo-vol - hostPath: - path: "/var/foo/bar" - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" - diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml deleted file mode 100644 index 29d235285..000000000 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - allow-docker: "true" - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - allow-docker: "false" - name: goodpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: foo-vol - hostPath: - path: "/var/foo/bar" ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - foo: bar - allow-docker: "true" - name: goodpod04 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumes: - - name: foo-vol - hostPath: - path: "/var/foo/bar" - - name: docker-vol - hostPath: - path: "/var/run/docker.sock" - diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index acaba3125..000000000 --- a/other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: docker-socket-check -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml b/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index bdcc535a5..000000000 --- a/other-cel/docker-socket-requires-label/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: docker-socket-check -policies: -- ../docker-socket-requires-label.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: docker-socket-check - resources: - - nginx-bad-1 - - nginx-bad-2 - result: fail - rule: docker-socket-check -- kind: Pod - policy: docker-socket-check - resources: - - nginx-allow-1 - - nginx-allow-2 - - nginx-allow-3 - result: pass - rule: docker-socket-check - diff --git a/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml b/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml deleted file mode 100644 index cdd3bc0ec..000000000 --- a/other-cel/docker-socket-requires-label/.kyverno-test/resource.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - run: nginx - name: nginx-allow-1 -spec: - containers: - - image: nothinghere - name: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - allow-docker: "true" - run: nginx - name: nginx-allow-2 -spec: - containers: - - image: nothinghere - name: nginx - volumes: - - hostPath: - path: /var/run/docker.sock - name: test ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - allow-docker: "false" - run: nginx - name: nginx-allow-3 -spec: - containers: - - image: nothinghere - name: nginx - volumes: - - hostPath: - path: /random/value - name: test ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - allow-docker: "false" - run: nginx - name: nginx-bad-1 -spec: - containers: - - image: nothinghere - name: nginx - volumes: - - hostPath: - path: /var/run/docker.sock - name: test ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - run: nginx - name: nginx-bad-2 -spec: - containers: - - image: nothinghere - name: nginx - volumes: - - hostPath: - path: /var/run/docker.sock - name: test - diff --git a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml b/other-cel/docker-socket-requires-label/artifacthub-pkg.yml deleted file mode 100644 index 264884a07..000000000 --- a/other-cel/docker-socket-requires-label/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: docker-socket-requires-label-cel -version: 1.0.0 -displayName: Docker Socket Requires Label in CEL expressions -description: >- - Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 6a042d293db3309de274b97414451ed620b19a9972d8a53b001f34b4daa67dff -createdAt: "2024-03-27T12:13:52Z" - diff --git a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml b/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml deleted file mode 100644 index 6fb291390..000000000 --- a/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: docker-socket-check - annotations: - policies.kyverno.io/title: Docker Socket Requires Label in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Accessing a container engine's socket is for highly specialized use cases and should generally - be disabled. If access must be granted, it should be done on an explicit basis. This policy - requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set - to `true`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: docker-socket-check - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: hasDockerSocket - expression: "object.spec.?volumes.orValue([]).exists(volume, volume.?hostPath.?path.orValue('') == '/var/run/docker.sock')" - - name: isAllowDockerLabelTrue - expression: "object.metadata.?labels[?'allow-docker'].orValue('false') == 'true'" - expressions: - - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue" - message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." - diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 8ea615288..000000000 --- a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: enforce-pod-duration -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../enforce-pod-duration.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: pod-lifetime - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index 8d543bd44..000000000 --- a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - pod.kubernetes.io/lifetime: "8h5m" - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - pod.kubernetes.io/lifetime: "8h5m" - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - restartPolicy: OnFailure - diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index 296a10557..000000000 --- a/other-cel/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - pod.kubernetes.io/lifetime: "8h" - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - pod.kubernetes.io/lifetime: "5m" - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - restartPolicy: OnFailure - diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 57a16654b..000000000 --- a/other-cel/enforce-pod-duration/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - pod.kubernetes.io/lifetime: "8h1m" - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - pod.kubernetes.io/lifetime: "24h" - foo: bar - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml deleted file mode 100644 index d9dd8c07b..000000000 --- a/other-cel/enforce-pod-duration/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: bar - pod.kubernetes.io/lifetime: "5m" - name: goodpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - pod.kubernetes.io/lifetime: "8h" - foo: bar - name: goodpod04 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index ccfce366c..000000000 --- a/other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pod-lifetime -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index da3c01fd4..000000000 --- a/other-cel/enforce-pod-duration/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: pod-lifetime -policies: -- ../enforce-pod-duration.yaml -resources: -- resources.yaml -results: -- kind: Pod - policy: pod-lifetime - resources: - - test-lifetime-fail - result: fail - rule: pods-lifetime -- kind: Pod - policy: pod-lifetime - resources: - - test-lifetime-pass - result: pass - rule: pods-lifetime - diff --git a/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml b/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml deleted file mode 100644 index b40ef2969..000000000 --- a/other-cel/enforce-pod-duration/.kyverno-test/resources.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: test-lifetime-pass - namespace: test - annotations: - pod.kubernetes.io/lifetime: 4h -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-lifetime-fail - namespace: test - annotations: - pod.kubernetes.io/lifetime: 24h -spec: - containers: - - name: nginx - image: nginx:1.12 - diff --git a/other-cel/enforce-pod-duration/artifacthub-pkg.yml b/other-cel/enforce-pod-duration/artifacthub-pkg.yml deleted file mode 100644 index e54931b4f..000000000 --- a/other-cel/enforce-pod-duration/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: enforce-pod-duration-cel -version: 1.0.0 -displayName: Enforce pod duration in CEL expressions -description: >- - This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-pod-duration/enforce-pod-duration.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - This validation is valuable when annotations are used to define durations, such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 9cdc75a57a1cf01caa6895123ccfd94ad42ffb7deb46614d6ee55a35a8c4d519 -createdAt: "2024-03-30T18:18:11Z" - diff --git a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml b/other-cel/enforce-pod-duration/enforce-pod-duration.yaml deleted file mode 100644 index 66321c5fa..000000000 --- a/other-cel/enforce-pod-duration/enforce-pod-duration.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pod-lifetime - annotations: - policies.kyverno.io/title: Enforce pod duration in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - This validation is valuable when annotations are used to define durations, - such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. - Pod lifetime annotation can be no greater than 8 hours. -spec: - validationFailureAction: Audit - background: true - rules: - - name: pods-lifetime - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: hasLifetimeAnnotation - expression: "object.metadata.?annotations[?'pod.kubernetes.io/lifetime'].hasValue()" - - name: lifetimeAnnotationValue - expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'" - expressions: - - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))" - message: "Pod lifetime exceeds limit of 8h" - diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 31c6b838a..000000000 --- a/other-cel/enforce-readwriteonce-pod/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: enforce-readwriteonce-pod -policies: -- ../enforce-readwriteonce-pod.yaml -resources: -- resource.yaml -results: -- kind: PersistentVolumeClaim - policy: readwriteonce-pod - resources: - - badpvc - result: fail - rule: readwrite-pvc-single-pod -- kind: PersistentVolumeClaim - policy: readwriteonce-pod - resources: - - goodpvc - result: pass - rule: readwrite-pvc-single-pod - diff --git a/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml b/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml deleted file mode 100644 index df1206b98..000000000 --- a/other-cel/enforce-readwriteonce-pod/.kyverno-test/resource.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: badpvc -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: goodpvc -spec: - accessModes: - - ReadWriteOncePod - resources: - requests: - storage: 1Gi - diff --git a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml b/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml deleted file mode 100644 index 91e0e8cec..000000000 --- a/other-cel/enforce-readwriteonce-pod/artifacthub-pkg.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: enforce-readwriteonce-pod-cel -version: 1.0.0 -displayName: Enforce readwriteoncepod in CEL expressions -description: >- - Some stateful workloads with multiple replicas only allow a single Pod to write - to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default - in 1.27, a new setting called ReadWriteOncePod, available - for CSI volumes only, allows volumes to be writable from only a single Pod. For more - information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. - This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Some stateful workloads with multiple replicas only allow a single Pod to write - to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default - in 1.27, a new setting called ReadWriteOncePod, available - for CSI volumes only, allows volumes to be writable from only a single Pod. For more - information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. - This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "PersistentVolumeClaims" -digest: c3595da6ec53e127aca4f08c38095764d652aa268ebfde21d3445545c75e1615 -createdAt: "2024-03-31T10:53:27Z" - diff --git a/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml b/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml deleted file mode 100644 index ee0636ace..000000000 --- a/other-cel/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: readwriteonce-pod - annotations: - policies.kyverno.io/title: Enforce ReadWriteOncePod in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/subject: PersistentVolumeClaim - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.27-1.28" - policies.kyverno.io/description: >- - Some stateful workloads with multiple replicas only allow a single Pod to write - to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default - in 1.27, a new setting called ReadWriteOncePod, available - for CSI volumes only, allows volumes to be writable from only a single Pod. For more - information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. - This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod. -spec: - validationFailureAction: Audit - background: true - rules: - - name: readwrite-pvc-single-pod - match: - any: - - resources: - kinds: - - PersistentVolumeClaim - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "'ReadWriteOncePod' in object.spec.accessModes" - message: "The accessMode must be set to ReadWriteOncePod." - diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index efd20a119..000000000 --- a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: ensure-probes-different -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ns.yaml - - apply: - file: ../ensure-probes-different.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: validate-probes - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - - name: step-99 - try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n ensure-probes-different-ns - diff --git a/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml b/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml deleted file mode 100644 index 055f17f7e..000000000 --- a/other-cel/ensure-probes-different/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ensure-probes-different-ns - diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index 78d0115dd..000000000 --- a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,116 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 - namespace: ensure-probes-different-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 8080 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - command: ["sleep","300"] - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - readinessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: badds01 - namespace: ensure-probes-different-ns -spec: - selector: - matchLabels: - name: busybox - template: - metadata: - labels: - name: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: ["sleep","300"] - livenessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 8080 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: badss01 - namespace: ensure-probes-different-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: "busybox" - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 5 - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - command: ["sleep","300"] - livenessProbe: - httpGet: - path: /healthz - port: 8080 - periodSeconds: 10 - readinessProbe: - httpGet: - path: /healthz - port: 8080 - periodSeconds: 10 - diff --git a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index f5c2d6b5b..000000000 --- a/other-cel/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,114 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 - namespace: ensure-probes-different-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: ["sleep","300"] - readinessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - command: ["sleep","300"] - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: goodds01 - namespace: ensure-probes-different-ns -spec: - selector: - matchLabels: - name: busybox - template: - metadata: - labels: - name: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - command: ["sleep","300"] - readinessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - command: ["sleep","300"] - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: goodss01 - namespace: ensure-probes-different-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: "busybox" - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 5 - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - livenessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - command: ["sleep","300"] - livenessProbe: - exec: - command: - - cat - - /tmp/healthy - periodSeconds: 10 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - diff --git a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 93e19afb3..000000000 --- a/other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-probes -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 6812ebacc..000000000 --- a/other-cel/ensure-probes-different/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: validate-probes -policies: -- ../ensure-probes-different.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: validate-probes - resources: - - mydeploy-2 - result: fail - rule: validate-probes -- kind: Deployment - policy: validate-probes - resources: - - mydeploy-1 - result: pass - rule: validate-probes - diff --git a/other-cel/ensure-probes-different/.kyverno-test/resource.yaml b/other-cel/ensure-probes-different/.kyverno-test/resource.yaml deleted file mode 100644 index 6f524a756..000000000 --- a/other-cel/ensure-probes-different/.kyverno-test/resource.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# "Liveness and readiness probes are not same." -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - name: mydeploy-1 -spec: - replicas: 1 - selector: - matchLabels: - app: goproxy - template: - metadata: - name: goproxy - labels: - app: goproxy - spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 15 - periodSeconds: 20 - ---- -# "Liveness and readiness probes are same." -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - name: mydeploy-2 -spec: - replicas: 1 - selector: - matchLabels: - app: goproxy - template: - metadata: - name: goproxy - labels: - app: goproxy - spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - diff --git a/other-cel/ensure-probes-different/artifacthub-pkg.yml b/other-cel/ensure-probes-different/artifacthub-pkg.yml deleted file mode 100644 index c4fed20e3..000000000 --- a/other-cel/ensure-probes-different/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: ensure-probes-different-cel -version: 1.0.0 -displayName: Validate Probes in CEL expressions -description: >- - Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ensure-probes-different/ensure-probes-different.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Liveness and readiness probes accomplish different goals, and setting both to the same is an anti-pattern and often results in app problems in the future. This policy checks that liveness and readiness probes are not equal. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 95447cdc8a2287d3d0d9f300dd82bd62709d1bbe91c60ba2b11c8ce0a318bbcb -createdAt: "2024-03-31T11:12:02Z" - diff --git a/other-cel/ensure-probes-different/ensure-probes-different.yaml b/other-cel/ensure-probes-different/ensure-probes-different.yaml deleted file mode 100644 index f49bb2104..000000000 --- a/other-cel/ensure-probes-different/ensure-probes-different.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-probes - annotations: - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/title: Validate Probes in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Liveness and readiness probes accomplish different goals, and setting both to the same - is an anti-pattern and often results in app problems in the future. This policy - checks that liveness and readiness probes are not equal. Keep in mind that if both the - probes are not set, they are considered to be equal and hence fails the check. -spec: - validationFailureAction: Audit - background: false - rules: - - name: validate-probes - match: - any: - - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !object.spec.template.spec.containers.exists(container, - has(container.readinessProbe) && has(container.livenessProbe) && - container.readinessProbe == container.livenessProbe) - message: "Liveness and readiness probes cannot be the same." - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml deleted file mode 100644 index be990147d..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-02.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-02 -spec: - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: false - volumes: - - name: foo - hostPath: - path: /var/log - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml deleted file mode 100644 index 351cf44bc..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-03.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-03 -spec: - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /etc - name: bar - volumes: - - name: foo - hostPath: - path: /var/log - - name: bar - hostPath: - path: /etc - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml deleted file mode 100644 index 4b0703656..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-04.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-04 -spec: - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /etc - name: bar - readOnly: false - volumes: - - name: foo - hostPath: - path: /var/log - - name: bar - hostPath: - path: /etc - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml deleted file mode 100644 index 9f803e8ec..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pod-05.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-05 -spec: - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /etc - name: bar - - name: test-webserver02 - image: sjbonmqopcta:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - - name: bar - hostPath: - path: /etc - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml deleted file mode 100644 index 8783a36ea..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/bad-pods-all.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pods-all -spec: - ephemeralContainers: - - name: ephemtest-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: false - initContainers: - - name: inittest-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: bar - readOnly: true - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - name: test-webserver02 - image: sjbonmqopcta:latest - volumeMounts: - - mountPath: /some/dir - name: bar - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - - name: bar - hostPath: - path: /etc - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 63f225da1..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: ensure-readonly-hostpath -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../ensure-readonly-hostpath.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: ensure-readonly-hostpath - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - file: ../.kyverno-test/good-pod-01.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: ../.kyverno-test/bad-pod-01.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-02.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-03.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-04.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pod-05.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml deleted file mode 100644 index ebc36fa0b..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/good-pods-all.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pods-all -spec: - ephemeralContainers: - - name: ephemtest-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - initContainers: - - name: inittest-webserver - image: fjtyonaq:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - name: test-webserver02 - image: sjbonmqopcta:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index e96566074..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /some/another/dir - name: foo - readOnly: false - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /some/another/dir - name: foo - readOnly: false - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - restartPolicy: OnFailure - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index 2e5588e44..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /some/another/dir - name: foo - readOnly: true - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /some/another/dir - name: foo - readOnly: true - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - restartPolicy: OnFailure - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 2642c194c..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /some/another/dir - name: foo - readOnly: false - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml deleted file mode 100644 index bdb942869..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - mountPath: /some/another/dir - name: foo - readOnly: true - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 35c07ba78..000000000 --- a/other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: ensure-readonly-hostpath -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml deleted file mode 100644 index 51839206c..000000000 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/bad-pod-01.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-01 -spec: - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - volumes: - - name: foo - hostPath: - path: /var/log - diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml deleted file mode 100644 index 9c6331dcf..000000000 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/good-pod-01.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod-01 -spec: - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - volumes: - - name: foo - hostPath: - path: /var/log - diff --git a/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml b/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e37b5e0c3..000000000 --- a/other-cel/ensure-readonly-hostpath/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: ensure-readonly-hostpath -policies: -- ../ensure-readonly-hostpath.yaml -resources: -- good-pod-01.yaml -- bad-pod-01.yaml -results: -- kind: Pod - policy: ensure-readonly-hostpath - resources: - - bad-pod-01 - result: fail - rule: ensure-hostpaths-readonly -- kind: Pod - policy: ensure-readonly-hostpath - resources: - - good-pod-01 - result: pass - rule: ensure-hostpaths-readonly - diff --git a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml b/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml deleted file mode 100644 index aa5a97e0b..000000000 --- a/other-cel/ensure-readonly-hostpath/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: ensure-readonly-hostpath-cel -version: 1.0.0 -displayName: Ensure Read Only hostPath in CEL expressions -description: >- - Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines (see https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only mode. This policy checks all containers for any hostPath volumes and ensures they are explicitly mounted in readOnly mode. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: c0acb4aa284ff94ed26e343502b35bc959bbe45d2d8f3d7b4fbb6780e0e27828 -createdAt: "2024-04-05T17:39:16Z" - diff --git a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml deleted file mode 100644 index 9b386141a..000000000 --- a/other-cel/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: ensure-readonly-hostpath - annotations: - policies.kyverno.io/title: Ensure Read Only hostPath in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk - even if confined to a "safe" file system on the host and may escape those confines (see - https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts). The only true way - to ensure safety is to enforce that all Pods mounting hostPath volumes do so in read only - mode. This policy checks all containers for any hostPath volumes and ensures they are - explicitly mounted in readOnly mode. -spec: - background: false - validationFailureAction: Audit - rules: - - name: ensure-hostpaths-readonly - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - - name: hostPathVolumes - expression: "object.spec.?volumes.orValue([]).filter(volume, has(volume.hostPath))" - expressions: - - expression: >- - variables.hostPathVolumes.all(hostPath, variables.allContainers.all(container, - container.volumeMounts.orValue([]).all(volume, (hostPath.name != volume.name) || volume.?readOnly.orValue(false) == true))) - message: All hostPath volumes must be mounted as readOnly. - diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index a388d214e..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: exclude-namespaces-dynamically -spec: - steps: - - name: step-01 - try: - - apply: - file: cm.yaml - - apply: - file: ns.yaml - - apply: - file: ../exclude-namespaces-dynamically.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: exclude-namespaces-example - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/cm.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/cm.yaml deleted file mode 100644 index 0c2e3c57a..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/cm.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -data: - exclude: "exclude-ns, exclude-ns-2" -kind: ConfigMap -metadata: - name: namespace-filters - namespace: default \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/cmap.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/cmap.yaml deleted file mode 100644 index 891cfb061..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/cmap.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: namespace-filters - namespace: default -data: - exclude: "[\"default\", \"test\"]" - \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/ns.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/ns.yaml deleted file mode 100644 index 4c909ba8b..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: exclude-ns ---- -apiVersion: v1 -kind: Namespace -metadata: - name: exclude-ns-2 \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 66aef86b3..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - namespace: default -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - bar: foo -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 00afae229..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: exclude-ns -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - namespace: exclude-ns-2 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - labels: - bar: foo - foo: bar -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 - namespace: exclude-ns-2 - labels: - foo: bar -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index a81ce69fb..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 90f518ddc..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 - namespace: exclude-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - foo: bar - spec: - containers: - - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 - namespace: exclude-ns-2 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: bb-01 - image: kyverno - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml b/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index d5c98b767..000000000 --- a/other-cel/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: exclude-namespaces-example -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/exclude-namespaces-dynamically/artifacthub-pkg.yml b/other-cel/exclude-namespaces-dynamically/artifacthub-pkg.yml deleted file mode 100644 index 817299960..000000000 --- a/other-cel/exclude-namespaces-dynamically/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: exclude-namespaces-dynamically-cel -version: 1.0.0 -displayName: Exclude Namespaces Dynamically in CEL expressions -description: >- - It's common where policy lookups need to consider a mapping to many possible values rather than a static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap where the ConfigMap stores an array of strings. This policy validates that any Pods created outside of the list of Namespaces have the label `foo` applied. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - It's common where policy lookups need to consider a mapping to many possible values rather than a static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap where the ConfigMap stores an array of strings. This policy validates that any Pods created outside of the list of Namespaces have the label `foo` applied. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Namespace, Pod" -digest: 5ddbe0a585b27d938e5ae070444d0d8f346785f8566b28bcbfef1dc0d90cd3f4 -createdAt: "2024-04-24T18:58:33Z" - diff --git a/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml b/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml deleted file mode 100644 index dc5a65852..000000000 --- a/other-cel/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml +++ /dev/null @@ -1,109 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: exclude-namespaces-example - annotations: - policies.kyverno.io/title: Exclude Namespaces Dynamically in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Namespace, Pod - policies.kyverno.io/minversion: 1.11.0 - pod-policies.kyverno.io/autogen-controllers: none - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - It's common where policy lookups need to consider a mapping to many possible values rather than a - static mapping. This is a sample which demonstrates how to dynamically look up an allow list of Namespaces from a ConfigMap - where the ConfigMap stores an array of strings. This policy validates that any Pods created - outside of the list of Namespaces have the label `foo` applied. -spec: - validationFailureAction: Audit - background: true - rules: - - name: exclude-namespaces-dynamically - match: - any: - - resources: - kinds: - - Deployment - - DaemonSet - - StatefulSet - - Job - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "filter-namespaces" - expression: "!(request.namespace in params.data['exclude'].split(', '))" - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: namespace-filters - namespace: default - parameterNotFoundAction: Deny - expressions: - - expression: "has(object.spec.template.metadata) && has(object.spec.template.metadata.labels) && 'foo' in object.spec.template.metadata.labels" - messageExpression: > - 'Creating Pods in the ' + request.namespace + ' namespace,' + - ' which is not in the excluded list of namespaces' + params.data.exclude + ',' + - ' is forbidden unless it carries the label `foo`.' - - name: exclude-namespaces-dynamically-pods - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "filter-namespaces" - expression: "!(request.namespace in params.data['exclude'].split(', '))" - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: namespace-filters - namespace: default - parameterNotFoundAction: Deny - expressions: - - expression: "has(object.metadata.labels) && 'foo' in object.metadata.labels" - messageExpression: > - 'Creating Pods in the ' + request.namespace + ' namespace,' + - ' which is not in the excluded list of namespaces ' + params.data.exclude + ',' + - ' is forbidden unless it carries the label `foo`.' - - name: exclude-namespaces-dynamically-cronjobs - match: - any: - - resources: - kinds: - - CronJob - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "filter-namespaces" - expression: "!(request.namespace in params.data['exclude'].split(', '))" - validate: - cel: - paramKind: - apiVersion: v1 - kind: ConfigMap - paramRef: - name: namespace-filters - namespace: default - parameterNotFoundAction: Deny - expressions: - - expression: >- - has(object.spec.jobTemplate.spec.template.metadata) && - has(object.spec.jobTemplate.spec.template.metadata.labels) && 'foo' in object.spec.jobTemplate.spec.template.metadata.labels - messageExpression: > - 'Creating Pods in the ' + request.namespace + ' namespace,' + - ' which is not in the excluded list of namespaces ' + params.data.exclude + ',' + - ' is forbidden unless it carries the label `foo`.' - diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 407a15fa3..000000000 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: forbid-cpu-limits -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../forbid-cpu-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: forbid-cpu-limits - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml - diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index 81604049b..000000000 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,100 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - limits: - cpu: 10m ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - cpu: 10m - - name: webserver2 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: 10m ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - limits: - cpu: 10m - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - cpu: 10m - - name: webserver2 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: 10m - restartPolicy: OnFailure - diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index f73c8eb25..000000000 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,84 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - requests: - cpu: 10m ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - requests: - cpu: 10m - restartPolicy: OnFailure - diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index 80ae12300..000000000 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad01 -spec: - containers: - - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: 10m ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad02 -spec: - containers: - - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - cpu: 10m - - name: webserver2 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: 10m - diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml deleted file mode 100644 index 44c8c9ae3..000000000 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good01 -spec: - containers: - - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: good02 -spec: - containers: - - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - cpu: 10m - diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index e3475173b..000000000 --- a/other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: forbid-cpu-limits -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 7e3a2c5ef..000000000 --- a/other-cel/forbid-cpu-limits/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: forbid-cpu-limits -policies: -- ../forbid-cpu-limits.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: forbid-cpu-limits - resources: - - bad01 - - bad02 - result: fail - rule: check-cpu-limits -- kind: Pod - policy: forbid-cpu-limits - resources: - - good01 - - good02 - result: pass - rule: check-cpu-limits - diff --git a/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml b/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml deleted file mode 100644 index f29885f30..000000000 --- a/other-cel/forbid-cpu-limits/.kyverno-test/resource.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad01 -spec: - containers: - - name: webserver1 - image: busybox:1.35 - resources: - limits: - cpu: 10m ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad02 -spec: - containers: - - name: webserver1 - image: busybox:1.35 - resources: - requests: - cpu: 10m - - name: webserver2 - image: busybox:1.35 - resources: - limits: - cpu: 10m ---- -apiVersion: v1 -kind: Pod -metadata: - name: good01 -spec: - containers: - - name: webserver1 - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: good02 -spec: - containers: - - name: webserver1 - image: busybox:1.35 - resources: - requests: - cpu: 10m - diff --git a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml b/other-cel/forbid-cpu-limits/artifacthub-pkg.yml deleted file mode 100644 index 956bbad74..000000000 --- a/other-cel/forbid-cpu-limits/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: forbid-cpu-limits-cel -version: 1.0.0 -displayName: Forbid CPU Limits in CEL expressions -description: >- - Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: a3034659b216823d9f4c30bab521e3148817f7d21236e6ee755c94eef2b792a5 -createdAt: "2024-04-01T15:35:47Z" - diff --git a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml b/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml deleted file mode 100644 index 8364ab7f4..000000000 --- a/other-cel/forbid-cpu-limits/forbid-cpu-limits.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: forbid-cpu-limits - annotations: - policies.kyverno.io/title: Forbid CPU Limits in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving - applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not - set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits. -spec: - background: true - validationFailureAction: Audit - rules: - - name: check-cpu-limits - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !object.spec.containers.exists(container, - container.?resources.?limits.?cpu.hasValue()) - message: Containers may not define CPU limits. - diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 57f982b6f..000000000 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: imagepullpolicy-always -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../imagepullpolicy-always.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: imagepullpolicy-always - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 39daa206c..000000000 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Never ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox - imagePullPolicy: IfNotPresent ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Always - - name: pod02 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: IfNotPresent ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Never - - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml deleted file mode 100644 index c8a62a5f0..000000000 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox # by default, imagePullPolicy: Always ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest # by default, imagePullPolicy: Always ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Always ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Always - - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - imagePullPolicy: IfNotPresent - - name: pod02 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Always - diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 3e5f3952b..000000000 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Never - - name: bb03 - image: ghcr.io/kyverno/test-busybox - imagePullPolicy: IfNotPresent ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:latest - imagePullPolicy: Never - - name: bb02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb03 - image: ghcr.io/kyverno/test-busybox - imagePullPolicy: IfNotPresent - restartPolicy: OnFailure - diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 3d2304f54..000000000 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:latest - - name: bb03 - image: ghcr.io/kyverno/test-busybox ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:latest - - name: bb03 - image: ghcr.io/kyverno/test-busybox - restartPolicy: OnFailure - diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b103315ed..000000000 --- a/other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: imagepullpolicy-always -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c5406a07a..000000000 --- a/other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: imagepullpolicy-always -policies: -- ../imagepullpolicy-always.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: imagepullpolicy-always - resources: - - mydeploy1 - result: fail - rule: imagepullpolicy-always -- kind: Pod - policy: imagepullpolicy-always - resources: - - myapp-pod-2 - result: fail - rule: imagepullpolicy-always -- kind: Deployment - policy: imagepullpolicy-always - resources: - - mydeploy2 - result: pass - rule: imagepullpolicy-always -- kind: Pod - policy: imagepullpolicy-always - resources: - - myapp-pod-1 - result: pass - rule: imagepullpolicy-always - diff --git a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml b/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml deleted file mode 100644 index 4df92e40f..000000000 --- a/other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod-1 - labels: - app: myapp-1 -spec: - containers: - - name: nginx - image: nginx:latest - imagePullPolicy: "Always" - ---- -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod-2 - labels: - app: myapp-2 -spec: - containers: - - name: nginx - image: nginx:latest - imagePullPolicy: "IfNotPresent" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploy1 -spec: - replicas: 2 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 80 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploy2 -spec: - replicas: 2 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx - imagePullPolicy: "Always" - ports: - - containerPort: 80 - diff --git a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml b/other-cel/imagepullpolicy-always/artifacthub-pkg.yml deleted file mode 100644 index cf2c42e25..000000000 --- a/other-cel/imagepullpolicy-always/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: imagepullpolicy-always-cel -version: 1.0.0 -displayName: Require imagePullPolicy Always in CEL expressions -description: >- - If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 48bf801d9acfef85768bf1f9fb3820a6cee3b9f87acb7a4f07f2449d193934cb -createdAt: "2024-04-03T17:41:38Z" - diff --git a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml b/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml deleted file mode 100644 index e80b97cc3..000000000 --- a/other-cel/imagepullpolicy-always/imagepullpolicy-always.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: imagepullpolicy-always - annotations: - policies.kyverno.io/title: Require imagePullPolicy Always in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - If the `latest` tag is allowed for images, it is a good idea to have the - imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future - pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` - when the `latest` tag is specified explicitly or where a tag is not defined at all. -spec: - validationFailureAction: Audit - background: true - rules: - - name: imagepullpolicy-always - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - (container.image.endsWith(':latest') || !container.image.contains(':')) ? - container.imagePullPolicy == 'Always' : true) - message: >- - The imagePullPolicy must be set to `Always` when the tag `latest` is used. - diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 598ffcf65..000000000 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: ingress-host-match-tls -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../ingress-host-match-tls.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: ingress-host-match-tls - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ingress-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ingress-bad.yaml - diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml deleted file mode 100644 index 4ac1a456a..000000000 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-bad.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint99 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - - host: endpoint02 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint03 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress03 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - - host: endpoint02 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 - diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml deleted file mode 100644 index c1ef3d3dd..000000000 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/ingress-good.yaml +++ /dev/null @@ -1,202 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress02 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress03 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint02 - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress04 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress05 -spec: - ingressClassName: nginx-int - rules: - - host: foo.bar.com - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint02 - - foo.bar.com ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress06 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /foo - pathType: Prefix - backend: - service: - name: bar - port: - number: 80 - - host: "*.foo.com" - http: - paths: - - path: /bar - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - "*.foo.com" ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress07 -spec: - defaultBackend: - resource: - apiGroup: k8s.example.com - kind: StorageBucket - name: foo-bar - rules: - - http: - paths: - - path: /foo - pathType: ImplementationSpecific - backend: - resource: - apiGroup: k8s.example.com - kind: StorageBucket - name: foo-bar - diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 3ed69ae88..000000000 --- a/other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: ingress-host-match-tls -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 0ce9eb5ef..000000000 --- a/other-cel/ingress-host-match-tls/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: ingress-host-match-tls -policies: -- ../ingress-host-match-tls.yaml -resources: -- resource.yaml -results: -- kind: Ingress - policy: ingress-host-match-tls - resources: - - badingress01 - - badingress02 - result: fail - rule: host-match-tls -- kind: Ingress - policy: ingress-host-match-tls - resources: - - goodingress01 - - goodingress02 - - goodingress03 - - goodingress04 - result: pass - rule: host-match-tls - diff --git a/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml b/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml deleted file mode 100644 index b83e8bf7f..000000000 --- a/other-cel/ingress-host-match-tls/.kyverno-test/resource.yaml +++ /dev/null @@ -1,170 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint99 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - - host: endpoint02 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint03 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress02 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress03 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint02 - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress04 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 - diff --git a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml b/other-cel/ingress-host-match-tls/artifacthub-pkg.yml deleted file mode 100644 index 7f683b2ce..000000000 --- a/other-cel/ingress-host-match-tls/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: ingress-host-match-tls-cel -version: 1.0.0 -displayName: Ingress Host Match TLS in CEL expressions -description: >- - Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: 026f0c19f0c775abfc9887a91f1b323c327f73dfe68a360ef566ee208fec55bb -createdAt: "2024-04-06T17:22:38Z" - diff --git a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml b/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml deleted file mode 100644 index b059e8333..000000000 --- a/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: ingress-host-match-tls - annotations: - policies.kyverno.io/title: Ingress Host Match TLS in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - Ingress resources which name a host name that is not present - in the TLS section can produce ingress routing failures as a TLS - certificate may not correspond to the destination host. This policy - ensures that the host name in an Ingress rule is also found - in the list of TLS hosts. -spec: - background: false - validationFailureAction: Audit - rules: - - name: host-match-tls - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: tls - expression: "object.spec.?tls.orValue([])" - expressions: - - expression: >- - object.spec.rules.all(rule, - !has(rule.host) || - variables.tls.exists(tls, tls.?hosts.orValue([]).exists(tlsHost, tlsHost == rule.host))) - message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." - diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index f8fb80346..000000000 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: limit-containers-per-pod -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../limit-containers-per-pod.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: limit-containers-per-pod - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 6ff94d1e4..000000000 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod03 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod04 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod05 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 3d2e6cdf1..000000000 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod03 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod04 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 511d40c8a..000000000 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb03 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb04 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb05 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb03 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb04 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb05 - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index d24d66705..000000000 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb03 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb04 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb03 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: bb04 - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 667e425d2..000000000 --- a/other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: limit-containers-per-pod -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 807b38981..000000000 --- a/other-cel/limit-containers-per-pod/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: limit-containers-per-pod -policies: -- ../limit-containers-per-pod.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: limit-containers-per-pod - resources: - - mycronjob - result: fail - rule: autogen-cronjob-limit-containers-per-pod -- kind: Deployment - policy: limit-containers-per-pod - resources: - - mydeploy - result: pass - rule: autogen-limit-containers-per-pod -- kind: Pod - policy: limit-containers-per-pod - resources: - - myapp-pod-2 - result: fail - rule: limit-containers-per-pod -- kind: Pod - policy: limit-containers-per-pod - resources: - - myapp-pod-1 - result: pass - rule: limit-containers-per-pod - diff --git a/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml b/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml deleted file mode 100644 index e39bdd108..000000000 --- a/other-cel/limit-containers-per-pod/.kyverno-test/resource.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod-1 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx:latest - ---- -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod-2 - labels: - app: myapp -spec: - containers: - - name: nginx1 - image: nginx:latest - - name: nginx2 - image: nginx:latest - - name: nginx3 - image: nginx:latest - - name: nginx4 - image: nginx:latest - - name: nginx5 - image: nginx:latest - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploy -spec: - replicas: 2 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: mycronjob -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello1 - image: busybox - - name: hello2 - image: busybox - - name: hello3 - image: busybox - - name: hello4 - image: busybox - - name: hello5 - image: busybox - restartPolicy: OnFailure - diff --git a/other-cel/limit-containers-per-pod/artifacthub-pkg.yml b/other-cel/limit-containers-per-pod/artifacthub-pkg.yml deleted file mode 100644 index 85e7e2dc5..000000000 --- a/other-cel/limit-containers-per-pod/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: limit-containers-per-pod-cel -version: 1.0.0 -displayName: Limit Containers per Pod in CEL expressions -description: >- - Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Pods can have many different containers which are tightly coupled. It may be desirable to limit the amount of containers that can be in a single Pod to control best practice application or so policy can be applied consistently. This policy checks all Pods to ensure they have no more than four containers. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 6a915cbe21250809e2e9665f9b79dde5f9b1fc77f2538c5f25ec9c5dda86a00b -createdAt: "2024-04-01T15:48:55Z" - diff --git a/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml b/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml deleted file mode 100644 index 7c14dc3e6..000000000 --- a/other-cel/limit-containers-per-pod/limit-containers-per-pod.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: limit-containers-per-pod - annotations: - policies.kyverno.io/title: Limit Containers per Pod in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Pods can have many different containers which - are tightly coupled. It may be desirable to limit the amount of containers that - can be in a single Pod to control best practice application or so policy can - be applied consistently. This policy checks all Pods to ensure they have - no more than four containers. -spec: - validationFailureAction: Audit - background: false - rules: - - name: limit-containers-per-pod - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "size(object.spec.containers) <= 4" - message: "Pods can only have a maximum of 4 containers." - diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2fbaea93a..000000000 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: limit-hostpath-type-pv -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../limit-hostpath-type-pv.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: limit-hostpath-type-pv - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pv-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pv-bad.yaml - diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b72728c58..000000000 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: limit-hostpath-type-pv -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml deleted file mode 100644 index 022e4ed2c..000000000 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-bad.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: bad-pv01 - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - hostPath: - path: "/etc" ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: bad-pv02 - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - hostPath: - path: "/etc/data/home" - diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml deleted file mode 100644 index 2dd25ac99..000000000 --- a/other-cel/limit-hostpath-type-pv/.chainsaw-test/pv-good.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: good-pv01 - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - hostPath: - path: "/data" ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: good-pv02 - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - hostPath: - path: "/data/home" - diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c736b0ec1..000000000 --- a/other-cel/limit-hostpath-type-pv/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: limit-hostpath-type-pv -policies: -- ../limit-hostpath-type-pv.yaml -resources: -- resource.yaml -results: -- kind: PersistentVolume - policy: limit-hostpath-type-pv - resources: - - bad-pv - result: fail - rule: limit-hostpath-type-pv-to-slash-data -- kind: PersistentVolume - policy: limit-hostpath-type-pv - resources: - - good-pv - result: pass - rule: limit-hostpath-type-pv-to-slash-data - diff --git a/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml b/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml deleted file mode 100644 index dd9a7b597..000000000 --- a/other-cel/limit-hostpath-type-pv/.kyverno-test/resource.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: good-pv - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - hostPath: - path: "/data" ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: bad-pv - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - hostPath: - path: "/etc" - diff --git a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml b/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml deleted file mode 100644 index fc2c77549..000000000 --- a/other-cel/limit-hostpath-type-pv/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: limit-hostpath-type-pv-cel -version: 1.0.0 -displayName: Limit hostPath PersistentVolumes to Specific Directories in CEL expressions -description: >- - hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "PersistentVolume" -digest: 8f2f85798607f78ce3eb794c08df351a8c171629c64481d5d7575c33b8428333 -createdAt: "2024-04-04T17:35:35Z" - diff --git a/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml b/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml deleted file mode 100644 index b20bf2ba4..000000000 --- a/other-cel/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: limit-hostpath-type-pv - annotations: - policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: PersistentVolume - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes - are not to be universally disabled, they should be restricted to only certain - host paths so as not to allow access to sensitive information. This policy ensures - the only directory that can be mounted as a hostPath volume is /data. -spec: - background: false - validationFailureAction: Audit - rules: - - name: limit-hostpath-type-pv-to-slash-data - match: - any: - - resources: - kinds: - - PersistentVolume - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!has(object.spec.hostPath) || object.spec.hostPath.path.startsWith('/data')" - message: hostPath type persistent volumes are confined to /data. - diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 30ace9483..000000000 --- a/other-cel/limit-hostpath-vols/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: limit-hostpath-vols -spec: - steps: - - name: step-01 - try: - - apply: - file: ../limit-hostpath-vols.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: limit-hostpath-vols - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index b1f06d7b3..000000000 --- a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: foo - hostPath: - path: /data - - name: bar - hostPath: - path: /etc/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: foo - hostPath: - path: /home/junk \ No newline at end of file diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 5dc8241d3..000000000 --- a/other-cel/limit-hostpath-vols/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: foo - hostPath: - path: /data - - name: bar - hostPath: - path: /data/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: foo - hostPath: - path: /data/junk - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 86152ffc0..000000000 --- a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: foo - hostPath: - path: /data - - name: bar - hostPath: - path: /etc/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: foo - hostPath: - path: /data - - name: bar - hostPath: - path: /etc/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 0eb07257d..000000000 --- a/other-cel/limit-hostpath-vols/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: foo - hostPath: - path: /data/junk - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: foo - hostPath: - path: /data/junk - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml b/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 95cce276c..000000000 --- a/other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: limit-hostpath-vols -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/limit-hostpath-vols/.kyverno-test/badpod.yaml b/other-cel/limit-hostpath-vols/.kyverno-test/badpod.yaml deleted file mode 100644 index 52a2b193f..000000000 --- a/other-cel/limit-hostpath-vols/.kyverno-test/badpod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pods-all -spec: - initContainers: - - name: inittest-webserver - image: asdfeasdfasada:latest - # volumeMounts: - # - mountPath: /some/dir - # name: bar - # readOnly: true - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - name: test-webserver02 - image: sjbonmqopcta:latest - # volumeMounts: - # - mountPath: /some/dir - # name: bar - # readOnly: true - volumes: - - name: foo - hostPath: - path: /etc - # - name: bar - # hostPath: - # path: /data/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi \ No newline at end of file diff --git a/other-cel/limit-hostpath-vols/.kyverno-test/goodpod.yaml b/other-cel/limit-hostpath-vols/.kyverno-test/goodpod.yaml deleted file mode 100644 index efa0d501a..000000000 --- a/other-cel/limit-hostpath-vols/.kyverno-test/goodpod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pods-all -spec: - initContainers: - - name: inittest-webserver - image: asdfeasdfasada:latest - # volumeMounts: - # - mountPath: /some/dir - # name: bar - # readOnly: true - containers: - - name: test-webserver - image: asdfeasdfasada:latest - volumeMounts: - - mountPath: /some/dir - name: foo - readOnly: true - - name: test-webserver02 - image: sjbonmqopcta:latest - # volumeMounts: - # - mountPath: /some/dir - # name: bar - # readOnly: true - volumes: - - name: foo - hostPath: - path: /data - # - name: bar - # hostPath: - # path: /data/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi \ No newline at end of file diff --git a/other-cel/limit-hostpath-vols/.kyverno-test/kyverno-test.yaml b/other-cel/limit-hostpath-vols/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 904dc13b1..000000000 --- a/other-cel/limit-hostpath-vols/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: limit-hostpath-vols -policies: -- ../limit-hostpath-vols.yaml -resources: -- goodpod.yaml -- badpod.yaml -results: -- kind: Pod - policy: limit-hostpath-vols - resources: - - bad-pods-all - result: fail - rule: limit-hostpath-to-slash-data -- kind: Pod - policy: limit-hostpath-vols - resources: - - good-pods-all - result: pass - rule: limit-hostpath-to-slash-data -variables: values.yaml diff --git a/other-cel/limit-hostpath-vols/.kyverno-test/values.yaml b/other-cel/limit-hostpath-vols/.kyverno-test/values.yaml deleted file mode 100644 index f0bdd4ef1..000000000 --- a/other-cel/limit-hostpath-vols/.kyverno-test/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: limit-hostpath-vols - resources: - - name: bad-pods-all - values: - request.operation: UPDATE diff --git a/other-cel/limit-hostpath-vols/artifacthub-pkg.yml b/other-cel/limit-hostpath-vols/artifacthub-pkg.yml deleted file mode 100644 index a8b2fc989..000000000 --- a/other-cel/limit-hostpath-vols/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: limit-hostpath-vols-cel -version: 1.0.0 -displayName: Limit hostPath Volumes to Specific Directories in CEL expressions -description: >- - hostPath volumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. It is strongly recommended to pair this policy with a second to ensure readOnly access is enforced preventing directory escape. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - hostPath volumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data. It is strongly recommended to pair this policy with a second to ensure readOnly access is enforced preventing directory escape. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 51afea296e6c4aeb11d29750b5733c36fa841da72841ecf78e74c1e3cb5c268b -createdAt: "2024-04-26T15:52:10Z" - diff --git a/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml b/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml deleted file mode 100644 index a1a94ab4a..000000000 --- a/other-cel/limit-hostpath-vols/limit-hostpath-vols.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: limit-hostpath-vols - annotations: - policies.kyverno.io/title: Limit hostPath Volumes to Specific Directories in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - hostPath volumes consume the underlying node's file system. If hostPath volumes - are not to be universally disabled, they should be restricted to only certain - host paths so as not to allow access to sensitive information. This policy ensures - the only directory that can be mounted as a hostPath volume is /data. It is strongly - recommended to pair this policy with a second to ensure readOnly - access is enforced preventing directory escape. -spec: - background: false - validationFailureAction: Audit - rules: - - name: limit-hostpath-to-slash-data - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "has-host-path-volume" - expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.hostPath))" - validate: - cel: - expressions: - - expression: "object.spec.volumes.all(volume, !has(volume.hostPath) || volume.hostPath.path.split('/')[1] == 'data')" - message: hostPath volumes are confined to /data. - diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index bc0c04e69..000000000 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: memory-requests-equal-limits -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../memory-requests-equal-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: memory-requests-equal-limits - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 506be4759..000000000 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "200Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "10Mi" - limits: - memory: "140Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "150Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "120Mi" - limits: - memory: "120Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "150Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "200Mi" - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "100Mi" - diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml deleted file mode 100644 index e191b9f1d..000000000 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod00 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "100Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - limits: - memory: "50Mi" - diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 4d41660e1..000000000 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "10Mi" - limits: - memory: "140Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "150Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "10Mi" - limits: - memory: "140Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "150Mi" - restartPolicy: OnFailure - diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index f3aa1b901..000000000 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "100Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - limits: - memory: "50Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - memory: "100Mi" - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - limits: - memory: "50Mi" - restartPolicy: OnFailure - diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index bcf716ae5..000000000 --- a/other-cel/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: memory-requests-equal-limits -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 73538ab7d..000000000 --- a/other-cel/memory-requests-equal-limits/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: memory-requests-equal-limits -policies: -- ../memory-requests-equal-limits.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: memory-requests-equal-limits - resources: - - hello - result: pass - rule: autogen-cronjob-memory-requests-equal-limits -- kind: DaemonSet - policy: memory-requests-equal-limits - resources: - - fluentd-elasticsearch - result: pass - rule: autogen-memory-requests-equal-limits -- kind: Pod - policy: memory-requests-equal-limits - resources: - - myapp-pod - result: fail - rule: memory-requests-equal-limits - diff --git a/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml b/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml deleted file mode 100644 index 33b5da389..000000000 --- a/other-cel/memory-requests-equal-limits/.kyverno-test/resource.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# DaemonSet with equal resources.requests.memory to resources.limits.memory -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: fluentd-elasticsearch - namespace: kube-system - labels: - k8s-app: fluentd-logging -spec: - selector: - matchLabels: - name: fluentd-elasticsearch - template: - metadata: - labels: - name: fluentd-elasticsearch - spec: - containers: - - name: fluentd-elasticsearch - image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 - resources: - limits: - memory: 200Mi - requests: - cpu: 100m - memory: 200Mi - ---- -# Pod with unequal resources.requests.memory to resources.limits.memory -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod -spec: - containers: - - name: nginx - image: nginx - resources: - requests: - memory: "64Mi" - cpu: "250m" - limits: - memory: "128Mi" - cpu: "500m" - ---- -# CronJob with equal resources.requests.memory to resources.limits.memory -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: hello -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox - args: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - resources: - requests: - cpu: "100m" - memory: "1000m" - limits: - cpu: "100m" - memory: "1000m" - restartPolicy: OnFailure - diff --git a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml deleted file mode 100644 index 19b886be6..000000000 --- a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: memory-requests-equal-limits-cel -version: 1.0.0 -displayName: Memory Requests Equal Limits in CEL expressions -description: >- - Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 2d7d94485cd5c5b19ae666afb28a3b52ce7d861ffe571eb8d2d4636bca1a685d -createdAt: "2024-04-07T11:13:21Z" - diff --git a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml deleted file mode 100644 index 5b9985455..000000000 --- a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: memory-requests-equal-limits - annotations: - policies.kyverno.io/title: Memory Requests Equal Limits in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if - they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. - This policy checks that all containers in a given Pod have memory requests equal to limits. -spec: - validationFailureAction: Audit - background: false - rules: - - name: memory-requests-equal-limits - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - !container.?resources.?requests.?memory.hasValue() || - container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) - message: "resources.requests.memory must be equal to resources.limits.memory" - diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 5bca0a41c..000000000 --- a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: metadata-match-regex -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../metadata-match-regex.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: metadata-match-regex - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index acc9d41d9..000000000 --- a/other-cel/metadata-match-regex/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - corp.org/version: v1.1 - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - corp.org/version: "0.0.1" - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - corp.org/version: "v1.22.1" - name: badpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 14f14b832..000000000 --- a/other-cel/metadata-match-regex/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - corp.org/version: v0.1.9 - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - labels: - corp.org/version: v0.0.1 - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 4671dd5f7..000000000 --- a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - corp.org/version: "v0.12.9" - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - corp.org/version: "v1.13" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml b/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 70978c9b6..000000000 --- a/other-cel/metadata-match-regex/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - corp.org/version: "v0.1.9" - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - corp.org/version: "v0.1.9" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml b/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 07a3b80e9..000000000 --- a/other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: metadata-match-regex -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml b/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c7259a539..000000000 --- a/other-cel/metadata-match-regex/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: metadata-match-regex -policies: -- ../metadata-match-regex.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- policy: metadata-match-regex - rule: check-for-regex - kind: Pod - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - result: fail -- policy: metadata-match-regex - rule: check-for-regex - kind: Deployment - resources: - - baddeployment01 - result: fail -- policy: metadata-match-regex - rule: check-for-regex - kind: CronJob - resources: - - badcronjob01 - result: fail -- policy: metadata-match-regex - rule: check-for-regex - kind: Pod - resources: - - goodpod01 - - goodpod02 - result: pass -- policy: metadata-match-regex - rule: check-for-regex - kind: Deployment - resources: - - gooddeployment01 - result: pass -- policy: metadata-match-regex - rule: check-for-regex - kind: CronJob - resources: - - goodcronjob01 - result: pass - diff --git a/other-cel/metadata-match-regex/artifacthub-pkg.yml b/other-cel/metadata-match-regex/artifacthub-pkg.yml deleted file mode 100644 index bcc2b513e..000000000 --- a/other-cel/metadata-match-regex/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: metadata-match-regex-cel -version: 1.0.0 -displayName: Metadata Matches Regex in CEL expressions -description: >- - Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/metadata-match-regex/metadata-match-regex.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Rather than a simple check to see if given metadata such as labels and annotations are present, in some cases they need to be present and the values match a specified regular expression. This policy illustrates how to ensure a label with key `corp.org/version` is both present and matches a given regex, in this case ensuring semver is met. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Label" -digest: 13f10d84ba859ce67122144d257a77024a781a292b6777cfbf88f191f003d85f -createdAt: "2024-04-07T10:16:14Z" - diff --git a/other-cel/metadata-match-regex/metadata-match-regex.yaml b/other-cel/metadata-match-regex/metadata-match-regex.yaml deleted file mode 100644 index 3a3336cd8..000000000 --- a/other-cel/metadata-match-regex/metadata-match-regex.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: metadata-match-regex - annotations: - policies.kyverno.io/title: Metadata Matches Regex in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Label - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Rather than a simple check to see if given metadata such as labels and annotations are present, - in some cases they need to be present and the values match a specified regular expression. This - policy illustrates how to ensure a label with key `corp.org/version` is both present and matches - a given regex, in this case ensuring semver is met. -spec: - validationFailureAction: Audit - background: false - rules: - - name: check-for-regex - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?labels[?'corp.org/version'].orValue('default').matches('^v[0-9].[0-9].[0-9]$') - message: >- - The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ - diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 6a50f10cb..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: pdb-maxunavailable -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../pdb-maxunavailable.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: pdb-maxunavailable - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pdb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pdb-bad.yaml - diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml deleted file mode 100644 index 48788b23e..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: badpdb01 -spec: - maxUnavailable: 0 - diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml deleted file mode 100644 index d8c6a9e30..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/pdb-good.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: goodpdb01 -spec: - minAvailable: 1 ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: goodpdb02 -spec: - maxUnavailable: 1 - diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 7f289a15c..000000000 --- a/other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pdb-maxunavailable -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e62099f4d..000000000 --- a/other-cel/pdb-maxunavailable/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: pdb-maxunavailable -policies: -- ../pdb-maxunavailable.yaml -resources: -- resource.yaml -results: -- kind: PodDisruptionBudget - policy: pdb-maxunavailable - resources: - - kube-system/bad-pdb-zero - - kube-system/bad-pdb-negative-one - result: fail - rule: pdb-maxunavailable -- kind: PodDisruptionBudget - policy: pdb-maxunavailable - resources: - - kube-system/good-pdb - - kube-system/good-pdb-none - result: pass - rule: pdb-maxunavailable - diff --git a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml b/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml deleted file mode 100644 index d7777edb9..000000000 --- a/other-cel/pdb-maxunavailable/.kyverno-test/resource.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb - namespace: kube-system -spec: - maxUnavailable: 2 - selector: - matchLabels: - app: good ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb-none - namespace: kube-system -spec: - selector: - matchLabels: - app: good ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb-zero - namespace: kube-system -spec: - maxUnavailable: 0 - selector: - matchLabels: - app: bad ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb-negative-one - namespace: kube-system -spec: - maxUnavailable: -1 - selector: - matchLabels: - app: bad - diff --git a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml b/other-cel/pdb-maxunavailable/artifacthub-pkg.yml deleted file mode 100644 index b0a51f2ac..000000000 --- a/other-cel/pdb-maxunavailable/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: pdb-maxunavailable-cel -version: 1.0.0 -displayName: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions -description: >- - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents all voluntary evictions including Node drains which may impact maintenance tasks. This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "PodDisruptionBudget" -digest: e8a5e187db61953889fcfa1bcc5b0c24893508bbfb47aeb7c73b5c1a274337b7 -createdAt: "2024-04-07T10:22:03Z" - diff --git a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml deleted file mode 100644 index 812804e5e..000000000 --- a/other-cel/pdb-maxunavailable/pdb-maxunavailable.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pdb-maxunavailable - annotations: - policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero in CEL expressions - policies.kyverno.io/category: Other in CEL - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: PodDisruptionBudget - policies.kyverno.io/description: >- - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents - all voluntary evictions including Node drains which may impact maintenance tasks. - This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field - it must be greater than zero. -spec: - validationFailureAction: Audit - background: false - rules: - - name: pdb-maxunavailable - match: - any: - - resources: - kinds: - - PodDisruptionBudget - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "int(object.spec.?maxUnavailable.orValue(1)) > 0" - message: "The value of maxUnavailable must be greater than zero." - diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e5a3052f4..000000000 --- a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: prevent-naked-pods -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ns.yaml - - apply: - file: ../prevent-bare-pods.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-bare-pods - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: deployment.yaml - - name: step-03 - try: - - sleep: - duration: 5s - - script: - content: | - if [ $(kubectl get pods -n prevent-naked-pods-ns | grep gooddeployment01 | wc -l) -gt 0 ]; then exit 0; else exit 1; fi - - name: step-99 - try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n prevent-naked-pods-ns - diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml deleted file mode 100644 index 3f28c812b..000000000 --- a/other-cel/prevent-bare-pods/.chainsaw-test/deployment.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 - namespace: prevent-naked-pods-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "30"] - diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml deleted file mode 100644 index ed9eca697..000000000 --- a/other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: prevent-naked-pods-ns - diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index b62882c08..000000000 --- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 5ca95f5ac..000000000 --- a/other-cel/prevent-bare-pods/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - ownerReferences: - - apiVersion: apps/v1 - kind: Deployment - name: gooddeployment01 - uid: "foo-bar" - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5663c2f0e..000000000 --- a/other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-bare-pods -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 1a43a336b..000000000 --- a/other-cel/prevent-bare-pods/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-bare-pods -policies: -- ../prevent-bare-pods.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -results: -- policy: prevent-bare-pods - rule: bare-pods - kind: Pod - resources: - - badpod01 - result: fail -- policy: prevent-bare-pods - rule: bare-pods - kind: Pod - resources: - - goodpod01 - result: pass - diff --git a/other-cel/prevent-bare-pods/artifacthub-pkg.yml b/other-cel/prevent-bare-pods/artifacthub-pkg.yml deleted file mode 100644 index 5198560a5..000000000 --- a/other-cel/prevent-bare-pods/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: prevent-bare-pods-cel -version: 1.0.0 -displayName: Prevent bare Pods in CEL expressions -description: >- - Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/prevent-bare-pods/prevent-bare-pods.yaml - ``` -keywords: - - kyverno - - Other - - EKS Best Practices - - CEL Expressions -readme: | - Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production. This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: ff8f3288a8e8ea57d91d27785866d0c17b8112b8697d0689e9f324874deb1f3b -createdAt: "2024-04-07T10:47:32Z" - diff --git a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml b/other-cel/prevent-bare-pods/prevent-bare-pods.yaml deleted file mode 100644 index a04ad48f9..000000000 --- a/other-cel/prevent-bare-pods/prevent-bare-pods.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-bare-pods - annotations: - policies.kyverno.io/title: Prevent Bare Pods in CEL expressions - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/category: Other, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Pods not created by workload controllers such as Deployments - have no self-healing or scaling abilities and are unsuitable for production. - This policy prevents such "bare" Pods from being created unless they originate - from a higher-level workload controller of some sort. -spec: - validationFailureAction: Audit - background: true - rules: - - name: bare-pods - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "'ownerReferences' in object.metadata" - message: "Bare Pods are not allowed. They must be created by Pod controllers." - diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index fa078154f..000000000 --- a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: prevent-cr8escape -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../prevent-cr8escape.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pods-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pods-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 3cae71084..000000000 --- a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - securityContext: - sysctls: - - name: "bar" - value: "foo" - - name: "foo" - value: "foo=bar" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - securityContext: - sysctls: - - name: "foo" - value: "foo+bar" - - name: "bar" - value: "foo" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 6a6d20803..000000000 --- a/other-cel/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - securityContext: - sysctls: - - name: "foo" - value: "bar" - - name: "bar" - value: "foo" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - securityContext: - sysctls: - - name: "foo" - value: "bar" - - name: "bar" - value: "foo" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml deleted file mode 100644 index cc9742c5b..000000000 --- a/other-cel/prevent-cr8escape/.chainsaw-test/pods-bad.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - securityContext: - sysctls: - - name: "foo" - value: "foo+bar" - - name: "bar" - value: "foo" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - securityContext: - sysctls: - - name: "bar" - value: "foo" - - name: "foo" - value: "foo=bar" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml deleted file mode 100644 index 584456add..000000000 --- a/other-cel/prevent-cr8escape/.chainsaw-test/pods-good.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - securityContext: - sysctls: - - name: "foo" - value: "bar" - - name: "bar" - value: "foo" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - securityContext: - allowPrivilegeEscalation: false - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 1259408f7..000000000 --- a/other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-cr8escape -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 29a5cc8c5..000000000 --- a/other-cel/prevent-cr8escape/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-cr8escape -policies: -- ../prevent-cr8escape.yaml -resources: -- resources.yaml -results: -- kind: Pod - policy: prevent-cr8escape - resources: - - badpod01 - result: fail - rule: restrict-sysctls-cr8escape -- kind: Pod - policy: prevent-cr8escape - resources: - - pod-sysctl-good - - pod-no-sysctl - result: pass - rule: restrict-sysctls-cr8escape - diff --git a/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml b/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml deleted file mode 100644 index e5ae26766..000000000 --- a/other-cel/prevent-cr8escape/.kyverno-test/resources.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "1+kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #" - containers: - - name: alpine - image: alpine:latest - command: ["tail", "-f", "/dev/null"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod-no-sysctl -spec: - containers: - - name: alpine - image: alpine:latest - command: ["tail", "-f", "/dev/null"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: pod-sysctl-good -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - containers: - - name: alpine - image: alpine:latest - command: ["tail", "-f", "/dev/null"] - diff --git a/other-cel/prevent-cr8escape/artifacthub-pkg.yml b/other-cel/prevent-cr8escape/artifacthub-pkg.yml deleted file mode 100644 index a314f8af5..000000000 --- a/other-cel/prevent-cr8escape/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: prevent-cr8escape-cel -version: 1.0.0 -displayName: Prevent cr8escape (CVE-2022-0811) in CEL expressions -description: >- - A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/prevent-cr8escape/prevent-cr8escape.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine underpinning Kubernetes allows attackers to escape from a Kubernetes container and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: ac2beb2d3eae9cea07feee4eadfd94e4a584e03ccb62cc84401038ffde0e6241 -createdAt: "2024-04-08T10:46:02Z" - diff --git a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml b/other-cel/prevent-cr8escape/prevent-cr8escape.yaml deleted file mode 100644 index 7370ddda6..000000000 --- a/other-cel/prevent-cr8escape/prevent-cr8escape.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-cr8escape - annotations: - policies.kyverno.io/title: Prevent cr8escape (CVE-2022-0811) in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - A vulnerability "cr8escape" (CVE-2022-0811) in CRI-O the container runtime engine - underpinning Kubernetes allows attackers to escape from a Kubernetes container - and gain root access to the host. The recommended remediation is to disallow - sysctl settings with + or = in their value. -spec: - validationFailureAction: Enforce - background: true - rules: - - name: restrict-sysctls-cr8escape - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, - !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) - message: "characters '+' or '=' are not allowed in sysctls values" - diff --git a/other-cel/require-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-annotations/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 7d0558015..000000000 --- a/other-cel/require-annotations/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-annotations -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-annotations.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-annotations - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 6356af7aa..000000000 --- a/other-cel/require-annotations/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - corp.org/department: "" - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-annotations/.chainsaw-test/pod-good.yaml b/other-cel/require-annotations/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 398771fcc..000000000 --- a/other-cel/require-annotations/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - corp.org/department: "foo" - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 0afbc09dc..000000000 --- a/other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - corp.org/department: "" - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 2d00b207b..000000000 --- a/other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - annotations: - corp.org/department: "foo" - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - annotations: - corp.org/department: "foo" - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 184f4f886..000000000 --- a/other-cel/require-annotations/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-annotations -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/require-annotations/.kyverno-test/kyverno-test.yaml b/other-cel/require-annotations/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8cf9c591a..000000000 --- a/other-cel/require-annotations/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-annotations -policies: -- ../require-annotations.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- kind: Pod - policy: require-annotations - resources: - - badpod01 - - badpod02 - result: fail - rule: check-for-annotation -- kind: Pod - policy: require-annotations - resources: - - goodpod01 - result: pass - rule: check-for-annotation -- kind: Deployment - policy: require-annotations - resources: - - baddeployment01 - result: fail - rule: check-for-annotation -- kind: CronJob - policy: require-annotations - resources: - - badcronjob01 - result: fail - rule: check-for-annotation -- kind: Deployment - policy: require-annotations - resources: - - gooddeployment01 - result: pass - rule: check-for-annotation -- kind: CronJob - policy: require-annotations - resources: - - goodcronjob01 - result: pass - rule: check-for-annotation - diff --git a/other-cel/require-annotations/artifacthub-pkg.yml b/other-cel/require-annotations/artifacthub-pkg.yml deleted file mode 100644 index 949f0d98e..000000000 --- a/other-cel/require-annotations/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-annotations-cel -version: 1.0.0 -displayName: Require Annotations in CEL expressions -description: >- - Define and use annotations that identify semantic attributes of your application or Deployment. A common set of annotations allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended annotations describe applications in a way that can be queried. This policy validates that the annotation `corp.org/department` is specified with some value. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-annotations/require-annotations.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Define and use annotations that identify semantic attributes of your application or Deployment. A common set of annotations allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended annotations describe applications in a way that can be queried. This policy validates that the annotation `corp.org/department` is specified with some value. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Annotation" -digest: daf07a7c0e54bab1c25e2831feba7f3e9a0fd6e1f5e60b2bc043418a2d4f7c5d -createdAt: "2024-04-09T15:56:35Z" - diff --git a/other-cel/require-annotations/require-annotations.yaml b/other-cel/require-annotations/require-annotations.yaml deleted file mode 100644 index 6394abdec..000000000 --- a/other-cel/require-annotations/require-annotations.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-annotations - annotations: - policies.kyverno.io/title: Require Annotations in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Annotation - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Define and use annotations that identify semantic attributes of your application or Deployment. - A common set of annotations allows tools to work collaboratively, describing objects in a common manner that - all tools can understand. The recommended annotations describe applications in a way that can be - queried. This policy validates that the annotation `corp.org/department` is specified with some value. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-for-annotation - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?annotations[?'corp.org/department'].orValue('') != '' - message: "The annotation `corp.org/department` is required." - diff --git a/other-cel/require-container-port-names/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-container-port-names/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 57c31e79a..000000000 --- a/other-cel/require-container-port-names/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-container-port-names -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-container-port-names.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-container-port-names - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml b/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index a9be85d99..000000000 --- a/other-cel/require-container-port-names/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 - - containerPort: 443 - name: https-port ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 - name: http-port - - containerPort: 443 - name: https-port \ No newline at end of file diff --git a/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml b/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 1bbaa60e6..000000000 --- a/other-cel/require-container-port-names/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - containerPort: 443 - name: https-port \ No newline at end of file diff --git a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index fd12ecd36..000000000 --- a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 - - containerPort: 443 - name: https-port ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 - - containerPort: 443 - name: https-port - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 9f5f94e13..000000000 --- a/other-cel/require-container-port-names/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - containerPort: 443 - name: https-port ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - metadata: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: http-port - containerPort: 80 - - containerPort: 443 - name: https-port - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml b/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index ad3202354..000000000 --- a/other-cel/require-container-port-names/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-container-port-names -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/require-container-port-names/.kyverno-test/kyverno-test.yaml b/other-cel/require-container-port-names/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c1054a710..000000000 --- a/other-cel/require-container-port-names/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-container-port-names -policies: -- ../require-container-port-names.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- kind: Pod - policy: require-container-port-names - rule: port-name - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail -- kind: Pod - policy: require-container-port-names - rule: port-name - resources: - - goodpod01 - - goodpod02 - result: pass -- kind: Deployment - policy: require-container-port-names - rule: port-name - resources: - - baddeployment01 - result: fail -- kind: CronJob - policy: require-container-port-names - rule: port-name - resources: - - badcronjob01 - result: fail -- kind: Deployment - policy: require-container-port-names - rule: port-name - resources: - - gooddeployment01 - result: pass -- kind: CronJob - policy: require-container-port-names - rule: port-name - resources: - - goodcronjob01 - result: pass - diff --git a/other-cel/require-container-port-names/artifacthub-pkg.yml b/other-cel/require-container-port-names/artifacthub-pkg.yml deleted file mode 100644 index 401c9c763..000000000 --- a/other-cel/require-container-port-names/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-container-port-names-cel -version: 1.0.0 -displayName: Require Container Port Names in CEL expressions -description: >- - Containers may define ports on which they listen. In addition to a port number, a name field may optionally be used. Including a name makes it easier when defining Service resource definitions and others since the name may be referenced allowing the port number to change. This policy requires that for every containerPort defined there is also a name specified. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-container-port-names/require-container-port-names.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Containers may define ports on which they listen. In addition to a port number, a name field may optionally be used. Including a name makes it easier when defining Service resource definitions and others since the name may be referenced allowing the port number to change. This policy requires that for every containerPort defined there is also a name specified. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 769749ee4aefe260c950c0f36f7c966ef3f9c432469e342014660992b35c475d -createdAt: "2024-04-27T16:37:39Z" - diff --git a/other-cel/require-container-port-names/require-container-port-names.yaml b/other-cel/require-container-port-names/require-container-port-names.yaml deleted file mode 100644 index ce89cac63..000000000 --- a/other-cel/require-container-port-names/require-container-port-names.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-container-port-names - annotations: - policies.kyverno.io/title: Require Container Port Names in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Containers may define ports on which they listen. In addition to a port number, - a name field may optionally be used. Including a name makes it easier when defining - Service resource definitions and others since the name may be referenced allowing - the port number to change. This policy requires that for every containerPort defined - there is also a name specified. -spec: - validationFailureAction: Audit - background: true - rules: - - name: port-name - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.containers.all(container, container.?ports.orValue([]).all(port, has(port.name)))" - message: Name is required for every containerPort. - diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 4fdd0c552..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-deployments-have-multiple-replicas -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-deployments-have-multiple-replicas.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deployment-has-multiple-replicas - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: deploy-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: deploy-bad.yaml - diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml deleted file mode 100644 index cf0c3471c..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 0 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment03 -spec: - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml deleted file mode 100644 index d677a36af..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 2 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 3 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml b/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 22681ce73..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deployment-has-multiple-replicas -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml b/other-cel/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 07bccb8b6..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: deployment-has-multiple-replicas -policies: -- ../require-deployments-have-multiple-replicas.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: deployment-has-multiple-replicas - resources: - - mydeploygood - result: pass - rule: deployment-has-multiple-replicas -- kind: Deployment - policy: deployment-has-multiple-replicas - resources: - - mydeploybad - result: fail - rule: deployment-has-multiple-replicas - diff --git a/other-cel/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml b/other-cel/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml deleted file mode 100644 index 6fc0aa939..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploygood -spec: - replicas: 2 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploybad -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 - diff --git a/other-cel/require-deployments-have-multiple-replicas/artifacthub-pkg.yml b/other-cel/require-deployments-have-multiple-replicas/artifacthub-pkg.yml deleted file mode 100644 index ddbdfb2fb..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-deployments-have-multiple-replicas-cel -version: 1.0.0 -displayName: Require Multiple Replicas in CEL expressions -description: >- - Deployments with a single replica cannot be highly available and thus the application may suffer downtime if that one replica goes down. This policy validates that Deployments have more than one replica. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Deployments with a single replica cannot be highly available and thus the application may suffer downtime if that one replica goes down. This policy validates that Deployments have more than one replica. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Deployment" -digest: ee5b95668db9936b32f32f1d8ee167d4adec5c71c214981bbb503c1a5c416356 -createdAt: "2024-04-09T16:03:47Z" - diff --git a/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml b/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml deleted file mode 100644 index 567e1c5c5..000000000 --- a/other-cel/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deployment-has-multiple-replicas - annotations: - policies.kyverno.io/title: Require Multiple Replicas in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Deployment - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Deployments with a single replica cannot be highly available and thus the application - may suffer downtime if that one replica goes down. This policy validates that Deployments - have more than one replica. -spec: - validationFailureAction: Audit - background: true - rules: - - name: deployment-has-multiple-replicas - match: - any: - - resources: - kinds: - - Deployment - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.replicas > 1" - message: "Deployments should have more than one replica to ensure availability." - diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml deleted file mode 100644 index 8dea0db19..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - app: busybox - name: badpod01 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo-host - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /mnt/vol - name: vol - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi - - name: foo-host - hostPath: - path: /var/foo \ No newline at end of file diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 0f3822143..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-emptydir-requests-limits -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-emptydir-requests-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-emptydir-requests-and-limits - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index be38730f2..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumes: - - name: foo - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/vol - name: vol - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumeMounts: - - mountPath: /mnt/foo - name: foo - volumes: - - name: vol - emptyDir: - sizeLimit: 200Mi - - name: foo - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/vol - name: vol - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /mnt/foo - name: foo - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - requests: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - requests: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - limits: - memory: "2Gi" - requests: - memory: "2Gi" - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} \ No newline at end of file diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml deleted file mode 100644 index c99ae5a9b..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,207 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: - sizeLimit: 200Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /mnt/vol - name: vol - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - volumes: - - name: foo - hostPath: - path: /var/foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: certificates - image: ghcr.io/kyverno/test-busybox - volumeMounts: - - name: etc-ssl-certs - mountPath: /etc/ssl/certs - resources: - limits: - ephemeral-storage: 256Mi - requests: - ephemeral-storage: 256Mi - - name: configure - image: ghcr.io/kyverno/test-busybox - volumeMounts: - - name: etc-ssl-certs - mountPath: /etc/ssl/certs/ - - name: my-app-secrets - mountPath: /init-secrets - resources: - limits: - ephemeral-storage: 256Mi - requests: - ephemeral-storage: 256Mi - containers: - - name: my-app - image: ghcr.io/kyverno/test-busybox - resources: - limits: - cpu: "2" - ephemeral-storage: 1Gi - memory: 500Mi - requests: - ephemeral-storage: 500Mi - volumeMounts: - - name: etc-ssl-certs - mountPath: /etc/ssl/certs/ - - name: my-app-secrets - mountPath: /etc/secrets - volumes: - - name: my-app-secrets - emptyDir: - medium: Memory - - name: etc-ssl-certs - emptyDir: - medium: "Memory" \ No newline at end of file diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 7983cee46..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo-host - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /mnt/vol - name: vol - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi - - name: foo-host - hostPath: - path: /var/foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo-host - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - memory: "2Gi" - volumeMounts: - - mountPath: /mnt/vol - name: vol - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi - - name: foo-host - hostPath: - path: /var/foo - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index bbea194f0..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/foo - name: foo-host - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /mnt/vol - name: vol - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi - - name: foo-host - hostPath: - path: /var/foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox-init - volumeMounts: - - mountPath: /mnt/vol - name: vol - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02-init - volumeMounts: - - mountPath: /mnt/foo - name: foo - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - volumeMounts: - - mountPath: /mnt/foo - name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox02 - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /mnt/vol - name: vol - volumes: - - name: vol - emptyDir: {} - - name: foo - emptyDir: - sizeLimit: 200Mi - - name: foo-host - hostPath: - path: /var/foo - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml b/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 7ce8296f7..000000000 --- a/other-cel/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-emptydir-requests-and-limits -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/require-emptydir-requests-limits/.kyverno-test/kyverno-test.yaml b/other-cel/require-emptydir-requests-limits/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b97a5b0ec..000000000 --- a/other-cel/require-emptydir-requests-limits/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-emptydir-requests-and-limits -policies: -- ../require-emptydir-requests-limits.yaml -resources: -- resource-fail.yaml -- resource-pass.yaml -- resource-skip.yaml -results: -- kind: Pod - policy: require-emptydir-requests-and-limits - resources: - - fail-pod - result: fail - rule: check-emptydir-requests-limits -- kind: Pod - policy: require-emptydir-requests-and-limits - resources: - - pass-pod-01 - - pass-pod-02 - result: pass - rule: check-emptydir-requests-limits -- kind: Pod - policy: require-emptydir-requests-and-limits - resources: - - skip-pod - result: skip - rule: check-emptydir-requests-limits diff --git a/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-fail.yaml b/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-fail.yaml deleted file mode 100644 index 29b724bbc..000000000 --- a/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-fail.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: fail-pod -spec: - containers: - - image: gcr.io/hello-world:1.0 - name: test - resources: {} - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} diff --git a/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-pass.yaml b/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-pass.yaml deleted file mode 100644 index b614d4688..000000000 --- a/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-pass.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pass-pod-01 -spec: - containers: - - image: gcr.io/hello-world:1.0 - name: test - resources: - requests: - ephemeral-storage: "2Gi" - limits: - ephemeral-storage: "2Gi" - volumeMounts: - - mountPath: /cache/data - name: vol - volumes: - - name: vol - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: pass-pod-02 -spec: - containers: - - image: gcr.io/hello-world:1.0 - name: test - volumeMounts: - - mountPath: /cache/data - name: vol - - mountPath: /cache/data2 - name: vo2 - volumes: - - name: vol - emptyDir: - sizeLimit: 1Gi - diff --git a/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-skip.yaml b/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-skip.yaml deleted file mode 100644 index 8c2736f3f..000000000 --- a/other-cel/require-emptydir-requests-limits/.kyverno-test/resource-skip.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: skip-pod -spec: - containers: - - image: gcr.io/hello-world:1.0 - name: test - volumeMounts: - - mountPath: /cache/data - name: vol - - mountPath: /cache/data2 - name: vol2 - volumes: - - name: vol - hostPath: - path: /mnt/data - - name: vol2 - hostPath: - path: /mnt/data2 diff --git a/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml b/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml deleted file mode 100644 index 4b10934af..000000000 --- a/other-cel/require-emptydir-requests-limits/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: require-emptydir-requests-limits-cel -version: 1.0.0 -displayName: Require Requests and Limits for emptyDir in CEL expressions -description: >- - Pods which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume. This sample ensures that any initContainers or containers mounting an emptyDir volume have ephemeral-storage requests and limits set. Policy will be skipped if the volume has already a sizeLimit set. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Pods which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume. This sample ensures that any initContainers or containers mounting an emptyDir volume have ephemeral-storage requests and limits set. Policy will be skipped if the volume has already a sizeLimit set. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 532dc08b43aa1027bd893d6e21e7d3310e537a212cebedead22608e0c94e2dc5 -createdAt: "2024-05-19T10:11:00Z" diff --git a/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml b/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml deleted file mode 100644 index 5fd3ec9c3..000000000 --- a/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-emptydir-requests-and-limits - annotations: - policies.kyverno.io/title: Require Requests and Limits for emptyDir in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Pods which mount emptyDir volumes may be allowed to potentially overrun - the medium backing the emptyDir volume. This sample ensures that any - initContainers or containers mounting an emptyDir volume have - ephemeral-storage requests and limits set. Policy will be skipped if - the volume has already a sizeLimit set. -spec: - background: false - validationFailureAction: Audit - rules: - - name: check-emptydir-requests-limits - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "has-emptydir-volume" - expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.emptyDir))" - validate: - cel: - variables: - - name: containers - expression: "object.spec.containers + object.spec.?initContainers.orValue([])" - - name: emptydirnames - expression: >- - has(object.spec.volumes) ? - object.spec.volumes.filter(volume, has(volume.emptyDir) && !has(volume.emptyDir.sizeLimit)).map(volume, volume.name) : [] - expressions: - - expression: >- - variables.containers.all(container, - !container.?volumeMounts.orValue([]).exists(mount, mount.name in variables.emptydirnames) || - container.resources.?requests[?'ephemeral-storage'].hasValue() && - container.resources.?limits[?'ephemeral-storage'].hasValue()) - message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage. - diff --git a/other-cel/require-image-checksum/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-image-checksum/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 24fd96589..000000000 --- a/other-cel/require-image-checksum/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-image-checksum -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-image-checksum.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-image-checksum - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml b/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index fee9dd4df..000000000 --- a/other-cel/require-image-checksum/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox - - name: bb - image: ghcr.io/kyverno/test-busybox:latest - diff --git a/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml b/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 72b1aeb11..000000000 --- a/other-cel/require-image-checksum/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 - diff --git a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index a8dc4cf66..000000000 --- a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - - name: bb - image: ghcr.io/kyverno/test-busybox:latest - restartPolicy: OnFailure - diff --git a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 3e5ca997d..000000000 --- a/other-cel/require-image-checksum/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 - restartPolicy: OnFailure - diff --git a/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml b/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 33b603041..000000000 --- a/other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-image-checksum -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/require-image-checksum/.kyverno-test/kyverno-test.yaml b/other-cel/require-image-checksum/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c8e21c333..000000000 --- a/other-cel/require-image-checksum/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-image-checksum -policies: -- ../require-image-checksum.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: require-image-checksum - resources: - - hello - result: fail - rule: require-image-checksum -- kind: Pod - policy: require-image-checksum - resources: - - myapp-pod-2 - result: fail - rule: require-image-checksum -- kind: Deployment - policy: require-image-checksum - resources: - - mydeploy - result: pass - rule: require-image-checksum -- kind: Pod - policy: require-image-checksum - resources: - - myapp-pod-1 - result: pass - rule: require-image-checksum - diff --git a/other-cel/require-image-checksum/.kyverno-test/resource.yaml b/other-cel/require-image-checksum/.kyverno-test/resource.yaml deleted file mode 100644 index 1b0a8ab89..000000000 --- a/other-cel/require-image-checksum/.kyverno-test/resource.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod-1 - labels: - app: myapp-1 -spec: - containers: - - name: nginx - image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 - ---- -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod-2 - labels: - app: myapp-2 -spec: - containers: - - name: nginx - image: nginx - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mydeploy -spec: - replicas: 2 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 - ports: - - containerPort: 80 - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: hello -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox - imagePullPolicy: IfNotPresent - command: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure - diff --git a/other-cel/require-image-checksum/artifacthub-pkg.yml b/other-cel/require-image-checksum/artifacthub-pkg.yml deleted file mode 100644 index d99ae75b5..000000000 --- a/other-cel/require-image-checksum/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-image-checksum-cel -version: 1.0.0 -displayName: Require Images Use Checksums in CEL expressions -description: >- - Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-image-checksum/require-image-checksum.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 6a775c3ab5b2c24f6fbe10de35ecca20e967d3d70242403718b55f5a04c07c08 -createdAt: "2024-04-10T18:21:59Z" - diff --git a/other-cel/require-image-checksum/require-image-checksum.yaml b/other-cel/require-image-checksum/require-image-checksum.yaml deleted file mode 100644 index 29c181758..000000000 --- a/other-cel/require-image-checksum/require-image-checksum.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-image-checksum - annotations: - policies.kyverno.io/title: Require Images Use Checksums in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Use of a SHA checksum when pulling an image is often preferable because tags - are mutable and can be overwritten. This policy checks to ensure that all images - use SHA checksums rather than tags. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-image-checksum - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.containers.all(container, container.image.contains('@'))" - message: "Images must use checksums rather than tags." - diff --git a/other-cel/require-ingress-https/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-ingress-https/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 1ea002383..000000000 --- a/other-cel/require-ingress-https/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-ingress-https -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-ingress-https.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-ingress-https - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ingress-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ingress-bad.yaml - diff --git a/other-cel/require-ingress-https/.chainsaw-test/ingress-bad.yaml b/other-cel/require-ingress-https/.chainsaw-test/ingress-bad.yaml deleted file mode 100644 index b48c26ecc..000000000 --- a/other-cel/require-ingress-https/.chainsaw-test/ingress-bad.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "true" - name: badingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 - annotations: - kyverno.io/foo: bar -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress03 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "false" - name: badingress04 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml b/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml deleted file mode 100644 index 151a757ec..000000000 --- a/other-cel/require-ingress-https/.chainsaw-test/ingress-good.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "false" - name: goodingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.allow-http: "false" - kyverno.io/foo: bar - name: goodingress02 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 - diff --git a/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml b/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 9437be689..000000000 --- a/other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ingress-https -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/require-ingress-https/.kyverno-test/kyverno-test.yaml b/other-cel/require-ingress-https/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 530b4fe66..000000000 --- a/other-cel/require-ingress-https/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-ingress-https -policies: -- ../require-ingress-https.yaml -resources: -- resource.yaml -results: -- kind: Ingress - policy: require-ingress-https - resources: - - goodingress01 - - goodingress02 - result: pass - rule: has-annotation -- kind: Ingress - policy: require-ingress-https - resources: - - goodingress01 - - goodingress02 - result: pass - rule: has-tls -- kind: Ingress - policy: require-ingress-https - resources: - - badingress01 - - badingress02 - - badingress03 - result: fail - rule: has-annotation -- kind: Ingress - policy: require-ingress-https - resources: - - badingress04 - result: fail - rule: has-tls - diff --git a/other-cel/require-ingress-https/.kyverno-test/resource.yaml b/other-cel/require-ingress-https/.kyverno-test/resource.yaml deleted file mode 100644 index a97cba4e7..000000000 --- a/other-cel/require-ingress-https/.kyverno-test/resource.yaml +++ /dev/null @@ -1,180 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "true" - name: badingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 - annotations: - kyverno.io/foo: bar -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress03 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "false" - name: badingress04 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "false" - name: goodingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.allow-http: "false" - kyverno.io/foo: bar - name: goodingress02 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 - diff --git a/other-cel/require-ingress-https/artifacthub-pkg.yml b/other-cel/require-ingress-https/artifacthub-pkg.yml deleted file mode 100644 index d8eca61d3..000000000 --- a/other-cel/require-ingress-https/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-ingress-https-cel -version: 1.0.0 -displayName: Require Ingress HTTPS in CEL expressions -description: >- - Ingress resources should only allow secure traffic by disabling HTTP and therefore only allowing HTTPS. This policy requires that all Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to `"false"` and specify TLS in the spec. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-ingress-https/require-ingress-https.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Ingress resources should only allow secure traffic by disabling HTTP and therefore only allowing HTTPS. This policy requires that all Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to `"false"` and specify TLS in the spec. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: b30bc5463846fae38c141a57722099c05614db0da4b3a1f88a1bb7812a572b81 -createdAt: "2024-04-10T18:31:27Z" - diff --git a/other-cel/require-ingress-https/require-ingress-https.yaml b/other-cel/require-ingress-https/require-ingress-https.yaml deleted file mode 100644 index cb7dd582c..000000000 --- a/other-cel/require-ingress-https/require-ingress-https.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ingress-https - annotations: - policies.kyverno.io/title: Require Ingress HTTPS in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - Ingress resources should only allow secure traffic by disabling - HTTP and therefore only allowing HTTPS. This policy requires that all - Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to - `"false"` and specify TLS in the spec. -spec: - background: true - validationFailureAction: Audit - rules: - - name: has-annotation - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?annotations[?'kubernetes.io/ingress.allow-http'].orValue('default') == 'false' - message: "The kubernetes.io/ingress.allow-http annotation must be set to false." - - name: has-tls - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "has(object.spec.tls)" - message: "TLS must be defined." - diff --git a/other-cel/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 776c5d107..000000000 --- a/other-cel/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-non-root-groups -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../require-non-root-groups.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-non-root-groups - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml b/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 64313b235..000000000 --- a/other-cel/require-non-root-groups/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,246 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod11 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod12 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod13 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod14 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod15 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - supplementalGroups: [0] ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - supplementalGroups: [14,0] ---- -apiVersion: v1 -kind: Pod -metadata: - name: fsgrp-badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - fsGroup: 0 ---- diff --git a/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml b/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 5a1a5a4f7..000000000 --- a/other-cel/require-non-root-groups/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,182 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - supplementalGroups: [32] ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - supplementalGroups: [32,94] ---- -apiVersion: v1 -kind: Pod -metadata: - name: fsgrp-goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - fsGroup: 32 \ No newline at end of file diff --git a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index b6ab78f8e..000000000 --- a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,761 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - supplementalGroups: [0] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - supplementalGroups: [14,0] ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - supplementalGroups: [0] ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - supplementalGroups: [14,0] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fsgrp-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - fsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: fsgrp-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - fsGroup: 0 \ No newline at end of file diff --git a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index c8edb5d19..000000000 --- a/other-cel/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,561 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -#### CRONJOBS -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - supplementalGroups: [32] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - supplementalGroups: [32,94] ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - supplementalGroups: [32] ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - supplementalGroups: [32,94] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fsgrp-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - fsGroup: 32 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: fsgrp-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsGroup: 1 - fsGroup: 32 diff --git a/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml b/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 637e72bac..000000000 --- a/other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-non-root-groups -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/require-non-root-groups/.kyverno-test/kyverno-test.yaml b/other-cel/require-non-root-groups/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b477f9589..000000000 --- a/other-cel/require-non-root-groups/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,198 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-non-root-groups -policies: -- ../require-non-root-groups.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: require-non-root-groups - resources: - - fsgrp-badcronjob01 - result: fail - rule: check-fsgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - fsgrp-baddeployment01 - result: fail - rule: check-fsgroup -- kind: Pod - policy: require-non-root-groups - resources: - - fsgrp-badpod01 - result: fail - rule: check-fsgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - fsgrp-goodcronjob01 - - fsgrp-goodcronjob02 - result: pass - rule: check-fsgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - fsgrp-gooddeployment01 - - fsgrp-gooddeployment02 - result: pass - rule: check-fsgroup -- kind: Pod - policy: require-non-root-groups - resources: - - fsgrp-goodpod01 - - fsgrp-goodpod02 - result: pass - rule: check-fsgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - - badcronjob04 - - badcronjob05 - - badcronjob06 - - badcronjob07 - - badcronjob08 - - badcronjob09 - - badcronjob10 - - badcronjob11 - - badcronjob12 - - badcronjob13 - - badcronjob14 - - badcronjob15 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment01 - - baddeployment02 - - baddeployment03 - - baddeployment04 - - baddeployment05 - - baddeployment06 - - baddeployment07 - - baddeployment08 - - baddeployment09 - - baddeployment10 - - baddeployment11 - - baddeployment12 - - baddeployment13 - - baddeployment14 - - baddeployment15 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - - badpod06 - - badpod07 - - badpod08 - - badpod09 - - badpod10 - - badpod11 - - badpod12 - - badpod13 - - badpod14 - - badpod15 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob01 - - goodcronjob02 - - goodcronjob03 - - goodcronjob04 - - goodcronjob05 - - goodcronjob06 - - goodcronjob07 - - goodcronjob08 - - goodcronjob09 - - goodcronjob10 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment01 - - gooddeployment02 - - gooddeployment03 - - gooddeployment04 - - gooddeployment05 - - gooddeployment06 - - gooddeployment07 - - gooddeployment08 - - gooddeployment09 - - gooddeployment10 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - - goodpod05 - - goodpod06 - - goodpod07 - - goodpod08 - - goodpod09 - - goodpod10 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-badcronjob01 - - supgrp-badcronjob02 - result: fail - rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-baddeployment01 - - supgrp-baddeployment02 - result: fail - rule: check-supplementalgroups -- kind: Pod - policy: require-non-root-groups - resources: - - supgrp-badpod01 - - supgrp-badpod02 - result: fail - rule: check-supplementalgroups -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-goodcronjob01 - - supgrp-goodcronjob02 - - supgrp-goodcronjob03 - result: pass - rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-gooddeployment01 - - supgrp-gooddeployment02 - - supgrp-gooddeployment03 - result: pass - rule: check-supplementalgroups -- kind: Pod - policy: require-non-root-groups - resources: - - supgrp-goodpod01 - - supgrp-goodpod02 - - supgrp-goodpod03 - result: pass - rule: check-supplementalgroups diff --git a/other-cel/require-non-root-groups/.kyverno-test/resource.yaml b/other-cel/require-non-root-groups/.kyverno-test/resource.yaml deleted file mode 100644 index 97269bf53..000000000 --- a/other-cel/require-non-root-groups/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1854 +0,0 @@ -############################ -## Rule: check-runasgroup ## -############################ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod11 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod12 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod13 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod14 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod15 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 0 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsGroup: 0 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 0 ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsGroup: 1 - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsGroup: 1 - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsGroup: 1 - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsGroup: 1 -#################################### -## Rule: check-supplementalgroups ## -#################################### -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [0] ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [14,0] ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [32] ---- -apiVersion: v1 -kind: Pod -metadata: - name: supgrp-goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [32,94] ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [0] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [14,0] ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [32] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: supgrp-gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [32,94] ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [0] ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [14,0] ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [32] ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: supgrp-goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: [32,94] ---- -######################### -## Rule: check-fsgroup ## -######################### -###### Pods - Bad -apiVersion: v1 -kind: Pod -metadata: - name: fsgrp-badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - fsGroup: 0 ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: fsgrp-goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: fsgrp-goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - fsGroup: 32 ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fsgrp-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - fsGroup: 0 ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fsgrp-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fsgrp-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - fsGroup: 32 ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: fsgrp-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - fsGroup: 0 ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: fsgrp-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: fsgrp-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - fsGroup: 32 diff --git a/other-cel/require-non-root-groups/artifacthub-pkg.yml b/other-cel/require-non-root-groups/artifacthub-pkg.yml deleted file mode 100644 index 2004ec989..000000000 --- a/other-cel/require-non-root-groups/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-non-root-groups-cel -version: 1.0.0 -displayName: Require Non-Root Groups in CEL expressions -description: >- - Containers should be forbidden from running with a root primary or supplementary GID. This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number greater than zero (i.e., non root). A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-non-root-groups/require-non-root-groups.yaml - ``` -keywords: - - kyverno - - Sample - - EKS Best Practices - - CEL Expressions -readme: | - Containers should be forbidden from running with a root primary or supplementary GID. This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number greater than zero (i.e., non root). A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 5b8983536f5922194a9ea86212f5ac316f396eefc1de09d4043947510b96ea16 -createdAt: "2024-05-19T10:49:49Z" diff --git a/other-cel/require-non-root-groups/require-non-root-groups.yaml b/other-cel/require-non-root-groups/require-non-root-groups.yaml deleted file mode 100644 index b20053878..000000000 --- a/other-cel/require-non-root-groups/require-non-root-groups.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-non-root-groups - annotations: - policies.kyverno.io/title: Require Non-Root Groups in CEL expressions - policies.kyverno.io/category: Sample, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Containers should be forbidden from running with a root primary or supplementary GID. - This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number - greater than zero (i.e., non root). A known issue prevents a policy such as this - using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-runasgroup - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: >- - ( - object.spec.?securityContext.?runAsGroup.orValue(-1) > 0 && - variables.allContainers.all(container, container.?securityContext.?runAsGroup.orValue(1) > 0) - ) || - ( - variables.allContainers.all(container, container.?securityContext.?runAsGroup.orValue(-1) > 0) - ) - message: >- - Running with root group IDs is disallowed. The fields - spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, - spec.initContainers[*].securityContext.runAsGroup, and - spec.ephemeralContainers[*].securityContext.runAsGroup must be - set to a value greater than zero. - - name: check-supplementalgroups - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?securityContext.?supplementalGroups.orValue([]).all(group, group > 0) - message: >- - Containers cannot run with a root primary or supplementary GID. The field - spec.securityContext.supplementalGroups must be unset or - set to a value greater than zero. - - name: check-fsgroup - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?securityContext.?fsGroup.orValue(1) > 0 - message: >- - Containers cannot run with a root primary or supplementary GID. The field - spec.securityContext.fsGroup must be unset or set to a value greater than zero. - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 71fb21d54..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-pod-priorityclassname -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-pod-priorityclassname.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-pod-priorityclassname - spec: - validationFailureAction: Enforce - - apply: - file: pc.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/pc.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/pc.yaml deleted file mode 100644 index 8128d99f9..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/pc.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: high -value: 1234 -globalDefault: false -description: "This priority class should be used for XYZ service pods only." - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 52e3037fa..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: "" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 2f03d56a3..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: high - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index cd47e10ba..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index d4f456b3b..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: high ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - priorityClassName: high - diff --git a/other-cel/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml b/other-cel/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 45ee903fd..000000000 --- a/other-cel/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-pod-priorityclassname -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/require-pod-priorityclassname/.kyverno-test/kyverno-test.yaml b/other-cel/require-pod-priorityclassname/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 525314f70..000000000 --- a/other-cel/require-pod-priorityclassname/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-pod-priorityclassname -policies: -- ../require-pod-priorityclassname.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-pod-priorityclassname - resources: - - badpod01 - result: fail - rule: check-priorityclassname -- kind: Pod - policy: require-pod-priorityclassname - resources: - - goodpod01 - result: pass - rule: check-priorityclassname - diff --git a/other-cel/require-pod-priorityclassname/.kyverno-test/resource.yaml b/other-cel/require-pod-priorityclassname/.kyverno-test/resource.yaml deleted file mode 100644 index 43c3c3d46..000000000 --- a/other-cel/require-pod-priorityclassname/.kyverno-test/resource.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - priorityClassName: foo - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: goproxy - image: registry.k8s.io/goproxy:0.1 - diff --git a/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml b/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml deleted file mode 100644 index 1b8ed7103..000000000 --- a/other-cel/require-pod-priorityclassname/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-pod-priorityclassname-cel -version: 1.0.0 -displayName: Require Pod priorityClassName in CEL expressions -description: >- - A Pod may optionally specify a priorityClassName which indicates the scheduling priority relative to others. This requires creation of a PriorityClass object in advance. With this created, a Pod may set this field to that value. In a multi-tenant environment, it is often desired to require this priorityClassName be set to make certain tenant scheduling guarantees. This policy requires that a Pod defines the priorityClassName field with some value. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml - ``` -keywords: - - kyverno - - Multi-Tenancy - - EKS Best Practices - - CEL Expressions -readme: | - A Pod may optionally specify a priorityClassName which indicates the scheduling priority relative to others. This requires creation of a PriorityClass object in advance. With this created, a Pod may set this field to that value. In a multi-tenant environment, it is often desired to require this priorityClassName be set to make certain tenant scheduling guarantees. This policy requires that a Pod defines the priorityClassName field with some value. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Multi-Tenancy, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 252b3acff35bbfdb60bfdb57be947b8e983d65fbaa4c143bf8e9f714d6f54e04 -createdAt: "2024-04-11T17:46:06Z" - diff --git a/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml b/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml deleted file mode 100644 index 5ddddfcf5..000000000 --- a/other-cel/require-pod-priorityclassname/require-pod-priorityclassname.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-pod-priorityclassname - annotations: - policies.kyverno.io/title: Require Pod priorityClassName in CEL expressions - policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - A Pod may optionally specify a priorityClassName which indicates the scheduling - priority relative to others. This requires creation of a PriorityClass object in advance. - With this created, a Pod may set this field to that value. In a multi-tenant environment, - it is often desired to require this priorityClassName be set to make certain tenant - scheduling guarantees. This policy requires that a Pod defines the priorityClassName field - with some value. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-priorityclassname - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.?priorityClassName.orValue('') != ''" - message: "Pods must define the priorityClassName field." - diff --git a/other-cel/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e6092e657..000000000 --- a/other-cel/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-qos-burstable -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-qos-burstable.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-qos-burstable - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml b/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index ebc6846b9..000000000 --- a/other-cel/require-qos-burstable/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml b/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 83ad74104..000000000 --- a/other-cel/require-qos-burstable/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - cpu: "1" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: "1" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 201859261..000000000 --- a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 342fcb1e6..000000000 --- a/other-cel/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - cpu: "1" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml b/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 4eba1ec3f..000000000 --- a/other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-qos-burstable -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/require-qos-burstable/.kyverno-test/kyverno-test.yaml b/other-cel/require-qos-burstable/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c76aef176..000000000 --- a/other-cel/require-qos-burstable/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-qos-burstable -policies: -- ../require-qos-burstable.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-qos-burstable - resources: - - badpod01 - - badpod02 - result: fail - rule: burstable -- kind: Pod - policy: require-qos-burstable - resources: - - goodpod01 - - goodpod02 - - goodpod03 - result: pass - rule: burstable - diff --git a/other-cel/require-qos-burstable/.kyverno-test/resource.yaml b/other-cel/require-qos-burstable/.kyverno-test/resource.yaml deleted file mode 100644 index 1d2a59eac..000000000 --- a/other-cel/require-qos-burstable/.kyverno-test/resource.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - requests: - memory: "200Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "200Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - requests: - memory: "200Mi" - cpu: "700m" - - name: seconddemo - image: thisdoesnotexist:1.1.1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - - name: second - image: thisdoesnotexist:1.1.1 - diff --git a/other-cel/require-qos-burstable/artifacthub-pkg.yml b/other-cel/require-qos-burstable/artifacthub-pkg.yml deleted file mode 100644 index 78d48eb08..000000000 --- a/other-cel/require-qos-burstable/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-qos-burstable-cel -version: 1.0.0 -displayName: Require QoS Burstable in CEL expressions -description: >- - Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain priority guarantees based upon the resources they define. When a Pod has at least one container which defines either requests or limits for either memory or CPU, Kubernetes grants the QoS class as burstable if it does not otherwise qualify for a QoS class of guaranteed. This policy requires that a Pod meet the criteria qualify for a QoS of burstable. This policy is provided with the intention that users will need to control its scope by using exclusions, preconditions, and other policy language mechanisms. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-qos-burstable/require-qos-burstable.yaml - ``` -keywords: - - kyverno - - Other - - Multi-Tenancy - - CEL Expressions -readme: | - Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain priority guarantees based upon the resources they define. When a Pod has at least one container which defines either requests or limits for either memory or CPU, Kubernetes grants the QoS class as burstable if it does not otherwise qualify for a QoS class of guaranteed. This policy requires that a Pod meet the criteria qualify for a QoS of burstable. This policy is provided with the intention that users will need to control its scope by using exclusions, preconditions, and other policy language mechanisms. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other, Multi-Tenancy in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 723f2fd7dcafa80eb362274960a518a13eecc425a96880ef690b7693496cc967 -createdAt: "2024-04-11T17:54:50Z" - diff --git a/other-cel/require-qos-burstable/require-qos-burstable.yaml b/other-cel/require-qos-burstable/require-qos-burstable.yaml deleted file mode 100644 index 208d272b1..000000000 --- a/other-cel/require-qos-burstable/require-qos-burstable.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-qos-burstable - annotations: - policies.kyverno.io/title: Require QoS Burstable in CEL expressions - policies.kyverno.io/category: Other, Multi-Tenancy in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain - priority guarantees based upon the resources they define. When a Pod has at least - one container which defines either requests or limits for either memory or CPU, - Kubernetes grants the QoS class as burstable if it does not otherwise qualify for a QoS class of guaranteed. - This policy requires that a Pod meet the criteria qualify for a QoS of burstable. - This policy is provided with the intention that users will need to control its scope by using - exclusions, preconditions, and other policy language mechanisms. -spec: - validationFailureAction: Audit - background: true - rules: - - name: burstable - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.exists(container, - has(container.resources) && - (has(container.resources.requests) || has(container.resources.limits))) - message: "At least one container in the Pod must define either requests or limits for either CPU or memory." - diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 3a4e08816..000000000 --- a/other-cel/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-qos-guaranteed -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-qos-guaranteed.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-qos-guaranteed - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 73a785cf5..000000000 --- a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - cpu: "1" - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - cpu: "2" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - memory: "100Mi" - cpu: "1" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 0b9826f4d..000000000 --- a/other-cel/require-qos-guaranteed/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - cpu: "1" - limits: - memory: "100Mi" - cpu: "1" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - cpu: "2" - limits: - memory: "50Mi" - cpu: "2" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - cpu: "1" - limits: - memory: "100Mi" - cpu: "1" \ No newline at end of file diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 37882316a..000000000 --- a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - limits: - cpu: "1" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - limits: - cpu: "2" \ No newline at end of file diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 514a21f0e..000000000 --- a/other-cel/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "200Mi" - cpu: "2" - limits: - memory: "200Mi" - cpu: "2" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - cpu: "1" - limits: - memory: "100Mi" - cpu: "1" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "100Mi" - cpu: "1" - limits: - memory: "100Mi" - cpu: "1" - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - requests: - memory: "50Mi" - cpu: "0.5" - limits: - memory: "50Mi" - cpu: "0.5" \ No newline at end of file diff --git a/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml b/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 08c5d44e0..000000000 --- a/other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-qos-guaranteed -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/require-qos-guaranteed/.kyverno-test/kyverno-test.yaml b/other-cel/require-qos-guaranteed/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index b11a7e2e1..000000000 --- a/other-cel/require-qos-guaranteed/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-qos-guaranteed -policies: -- ../require-qos-guaranteed.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: require-qos-guaranteed - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail - rule: guaranteed -- kind: Pod - policy: require-qos-guaranteed - resources: - - goodpod01 - - goodpod02 - result: pass - rule: guaranteed diff --git a/other-cel/require-qos-guaranteed/.kyverno-test/resource.yaml b/other-cel/require-qos-guaranteed/.kyverno-test/resource.yaml deleted file mode 100644 index 105a8d2a5..000000000 --- a/other-cel/require-qos-guaranteed/.kyverno-test/resource.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "200Mi" - cpu: "700m" - requests: - memory: "200Mi" - cpu: "700m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "200Mi" - cpu: "700m" - requests: - memory: "200Mi" - cpu: "700m" - - name: seconddemo - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "300Mi" - cpu: "500m" - requests: - memory: "300Mi" - cpu: "500m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "400Mi" - cpu: "700m" - requests: - memory: "200Mi" - cpu: "700m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "200Mi" - cpu: "900m" - requests: - memory: "200Mi" - cpu: "700m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: qos-demo-ctr - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "200Mi" - cpu: "700m" - requests: - memory: "200Mi" - cpu: "700m" - - name: secondname - image: thisdoesnotexist:1.1.1 - resources: - limits: - memory: "200Mi" - cpu: "800m" - requests: - memory: "200Mi" - cpu: "700m" \ No newline at end of file diff --git a/other-cel/require-qos-guaranteed/artifacthub-pkg.yml b/other-cel/require-qos-guaranteed/artifacthub-pkg.yml deleted file mode 100644 index 047d7ef7e..000000000 --- a/other-cel/require-qos-guaranteed/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: require-qos-guaranteed-cel -version: 1.0.0 -displayName: Require QoS Guaranteed in CEL expressions -description: >- - Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain priority guarantees based upon the resources they define. When Pods define both requests and limits for both memory and CPU, and the requests and limits are equal to each other, Kubernetes grants the QoS class as guaranteed which allows them to run at a higher priority than others. This policy requires that all containers within a Pod run with this definition resulting in a guaranteed QoS. This policy is provided with the intention that users will need to control its scope by using exclusions, preconditions, and other policy language mechanisms. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-qos-guaranteed/require-qos-guaranteed.yaml - ``` -keywords: - - kyverno - - Other - - Multi-Tenancy - - CEL Expressions -readme: | - Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain priority guarantees based upon the resources they define. When Pods define both requests and limits for both memory and CPU, and the requests and limits are equal to each other, Kubernetes grants the QoS class as guaranteed which allows them to run at a higher priority than others. This policy requires that all containers within a Pod run with this definition resulting in a guaranteed QoS. This policy is provided with the intention that users will need to control its scope by using exclusions, preconditions, and other policy language mechanisms. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other, Multi-Tenancy in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 5f7ee8a0d9f33c875ac26940425f5cc12ac8f528ea6cf233df2b4c79ed5ae43d -createdAt: "2024-05-19T11:06:21Z" diff --git a/other-cel/require-qos-guaranteed/require-qos-guaranteed.yaml b/other-cel/require-qos-guaranteed/require-qos-guaranteed.yaml deleted file mode 100644 index 485ddfbcc..000000000 --- a/other-cel/require-qos-guaranteed/require-qos-guaranteed.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-qos-guaranteed - annotations: - policies.kyverno.io/title: Require QoS Guaranteed in CEL expressions - policies.kyverno.io/category: Other, Multi-Tenancy in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain - priority guarantees based upon the resources they define. When Pods define both - requests and limits for both memory and CPU, and the requests and limits are equal - to each other, Kubernetes grants the QoS class as guaranteed which allows them to run - at a higher priority than others. This policy requires that all containers within a Pod - run with this definition resulting in a guaranteed QoS. This policy is provided with the - intention that users will need to control its scope by using - exclusions, preconditions, and other policy language mechanisms. -spec: - validationFailureAction: Audit - background: true - rules: - - name: guaranteed - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.containers.all(container, - has(container.resources) && - has(container.resources.requests) && - has(container.resources.requests.cpu) && has(container.resources.requests.memory) && - has(container.resources.limits) && - has(container.resources.limits.cpu) && has(container.resources.limits.memory) && - container.resources.requests.cpu == container.resources.limits.cpu && - container.resources.requests.memory == container.resources.limits.memory) - message: "All containers must define memory and CPU requests and limits where they are equal." - diff --git a/other-cel/require-storageclass/.chainsaw-test/chainsaw-test.yaml b/other-cel/require-storageclass/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e27410e3e..000000000 --- a/other-cel/require-storageclass/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-storageclass -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-storageclass.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-storageclass - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ss-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ss-bad.yaml - - apply: - file: pvc-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pvc-bad.yaml - diff --git a/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml b/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index d6a378049..000000000 --- a/other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-storageclass -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/require-storageclass/.chainsaw-test/pvc-bad.yaml b/other-cel/require-storageclass/.chainsaw-test/pvc-bad.yaml deleted file mode 100644 index e0f9f948c..000000000 --- a/other-cel/require-storageclass/.chainsaw-test/pvc-bad.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: badpvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi - storageClassName: "" - selector: - matchLabels: - release: "stable" - matchExpressions: - - {key: environment, operator: In, values: [dev]} - diff --git a/other-cel/require-storageclass/.chainsaw-test/pvc-good.yaml b/other-cel/require-storageclass/.chainsaw-test/pvc-good.yaml deleted file mode 100644 index 498f27c83..000000000 --- a/other-cel/require-storageclass/.chainsaw-test/pvc-good.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: goodpvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi - storageClassName: slow - selector: - matchLabels: - release: "stable" - matchExpressions: - - {key: environment, operator: In, values: [dev]} - diff --git a/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml b/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml deleted file mode 100644 index 8699ccbea..000000000 --- a/other-cel/require-storageclass/.chainsaw-test/ss-bad.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: badss -spec: - selector: - matchLabels: - app: nginx - serviceName: "nginx" - replicas: 1 - template: - metadata: - labels: - app: nginx - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 80 - name: web - volumeMounts: - - name: www - mountPath: /usr/share/nginx/html - volumeClaimTemplates: - - metadata: - name: www - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: 1Gi - diff --git a/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml b/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml deleted file mode 100644 index 76ab2ae2d..000000000 --- a/other-cel/require-storageclass/.chainsaw-test/ss-good.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: goodss01 -spec: - selector: - matchLabels: - app: nginx - replicas: 1 - template: - metadata: - labels: - app: nginx - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumeClaimTemplates: - - metadata: - name: www - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "my-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: goodss02 -spec: - selector: - matchLabels: - app: busybox - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/require-storageclass/.kyverno-test/kyverno-test.yaml b/other-cel/require-storageclass/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 168cfd341..000000000 --- a/other-cel/require-storageclass/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-storageclass -policies: -- ../require-storageclass.yaml -resources: -- resource.yaml -results: -- kind: PersistentVolumeClaim - policy: require-storageclass - resources: - - badpvc - result: fail - rule: pvc-storageclass -- kind: PersistentVolumeClaim - policy: require-storageclass - resources: - - goodpvc - result: pass - rule: pvc-storageclass -- kind: StatefulSet - policy: require-storageclass - resources: - - badss - result: fail - rule: ss-storageclass -- kind: StatefulSet - policy: require-storageclass - resources: - - goodss - - goodss-novct - result: pass - rule: ss-storageclass - diff --git a/other-cel/require-storageclass/.kyverno-test/resource.yaml b/other-cel/require-storageclass/.kyverno-test/resource.yaml deleted file mode 100644 index d2bca0d00..000000000 --- a/other-cel/require-storageclass/.kyverno-test/resource.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: badpvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 8Gi - selector: - matchLabels: - release: "stable" - matchExpressions: - - {key: environment, operator: In, values: [dev]} ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: goodpvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 8Gi - storageClassName: slow - selector: - matchLabels: - release: "stable" - matchExpressions: - - {key: environment, operator: In, values: [dev]} ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: goodss -spec: - selector: - matchLabels: - app: nginx - serviceName: "nginx" - replicas: 3 - template: - metadata: - labels: - app: nginx - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: nginx - image: thisdoesnotexist:0.8 - ports: - - containerPort: 80 - name: web - volumeMounts: - - name: www - mountPath: /usr/share/nginx/html - volumeClaimTemplates: - - metadata: - name: www - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "my-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: goodss-novct -spec: - selector: - matchLabels: - app: nginx - serviceName: "nginx" - replicas: 3 - template: - metadata: - labels: - app: nginx - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: nginx - image: thisdoesnotexist:0.8 - ports: - - containerPort: 80 - name: web ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: badss -spec: - selector: - matchLabels: - app: nginx - serviceName: "nginx" - replicas: 3 - template: - metadata: - labels: - app: nginx - spec: - terminationGracePeriodSeconds: 10 - containers: - - name: nginx - image: thisdoesnotexist:0.8 - ports: - - containerPort: 80 - name: web - volumeMounts: - - name: www - mountPath: /usr/share/nginx/html - volumeClaimTemplates: - - metadata: - name: www - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: 1Gi - diff --git a/other-cel/require-storageclass/artifacthub-pkg.yml b/other-cel/require-storageclass/artifacthub-pkg.yml deleted file mode 100644 index 449726544..000000000 --- a/other-cel/require-storageclass/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: require-storageclass-cel -version: 1.0.0 -displayName: Require StorageClass in CEL expressions -description: >- - PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass to dynamically provision storage. In a multi-tenancy environment where StorageClasses are far more common, it is often better to require storage only be provisioned from these StorageClasses. This policy requires that PVCs and StatefulSets define the storageClassName field with some value. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/require-storageclass/require-storageclass.yaml - ``` -keywords: - - kyverno - - Other - - Multi-Tenancy - - CEL Expressions -readme: | - PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass to dynamically provision storage. In a multi-tenancy environment where StorageClasses are far more common, it is often better to require storage only be provisioned from these StorageClasses. This policy requires that PVCs and StatefulSets define the storageClassName field with some value. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other, Multi-Tenancy in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "PersistentVolumeClaim, StatefulSet" -digest: e7471108f222c8a533a02a8c3b956ac0762d0f1b5522b1a27c95d90b2aa5080e -createdAt: "2024-04-11T18:06:16Z" - diff --git a/other-cel/require-storageclass/require-storageclass.yaml b/other-cel/require-storageclass/require-storageclass.yaml deleted file mode 100644 index 54cfbcc76..000000000 --- a/other-cel/require-storageclass/require-storageclass.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-storageclass - annotations: - policies.kyverno.io/title: Require StorageClass in CEL expressions - policies.kyverno.io/category: Other, Multi-Tenancy in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: PersistentVolumeClaim, StatefulSet - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass - to dynamically provision storage. In a multi-tenancy environment where StorageClasses are - far more common, it is often better to require storage only be provisioned from these - StorageClasses. This policy requires that PVCs and StatefulSets containing - volumeClaimTemplates define the storageClassName field with some value. -spec: - validationFailureAction: Audit - background: true - rules: - - name: pvc-storageclass - match: - any: - - resources: - kinds: - - PersistentVolumeClaim - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.?storageClassName.orValue('') != ''" - message: "PersistentVolumeClaims must define a storageClassName." - - name: ss-storageclass - match: - any: - - resources: - kinds: - - StatefulSet - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !has(object.spec.volumeClaimTemplates) || - object.spec.volumeClaimTemplates.all(volumeClaimTemplate, - volumeClaimTemplate.spec.?storageClassName.orValue('') != '') - message: "StatefulSets must define a storageClassName." - diff --git a/other-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 55aef1211..000000000 --- a/other-cel/restrict-annotations/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-annotations -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-annotations.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-annotations - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index db8491b76..000000000 --- a/other-cel/restrict-annotations/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - fluxcd.io/foo: bar - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - bar: foo - fluxcd.io/foo: bar - foo: bar - name: badpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - bar: foo - fluxcd.io/hello: bar - foo: bar - name: badpod03 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml b/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml deleted file mode 100644 index a51527584..000000000 --- a/other-cel/restrict-annotations/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - bar: foo - flux.io/foo: bar - foo: bar - name: goodpod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 3f61c09d4..000000000 --- a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - fluxcd.io/foo: bar - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - annotations: - foo: bar - fluxcd.io/foo: bar - bar: foo - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index a4679aa23..000000000 --- a/other-cel/restrict-annotations/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - flux.io/foo: bar - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - annotations: - foo: bar - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 06e578ab4..000000000 --- a/other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-annotations -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 3ba9c58e4..000000000 --- a/other-cel/restrict-annotations/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-annotations -policies: -- ../restrict-annotations.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: restrict-annotations - resources: - - mydeploy - result: fail - rule: block-flux-v1 -- kind: Pod - policy: restrict-annotations - resources: - - myapp-pod - result: fail - rule: block-flux-v1 -- kind: CronJob - policy: restrict-annotations - resources: - - hello - result: pass - rule: block-flux-v1 - diff --git a/other-cel/restrict-annotations/.kyverno-test/resource.yaml b/other-cel/restrict-annotations/.kyverno-test/resource.yaml deleted file mode 100644 index 7879734db..000000000 --- a/other-cel/restrict-annotations/.kyverno-test/resource.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - app: myapp - name: myapp-pod - annotations: - fluxcd.io/title: Annotation for pods -spec: - containers: - - image: nginx - name: myapp-pod - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: myapp - name: mydeploy - annotations: - fluxcd.io/title: Annotation for deployment -spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - image: nginx - name: nginx - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: hello - annotations: - gauss.io/title: Annotation for CronJob -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox - restartPolicy: OnFailure - diff --git a/other-cel/restrict-annotations/artifacthub-pkg.yml b/other-cel/restrict-annotations/artifacthub-pkg.yml deleted file mode 100644 index 1989bc110..000000000 --- a/other-cel/restrict-annotations/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-annotations-cel -version: 1.0.0 -displayName: Restrict Annotations in CEL expressions -description: >- - Some annotations control functionality driven by other cluster-wide tools and are not normally set by some class of users. This policy prevents the use of an annotation beginning with `fluxcd.io/`. This can be useful to ensure users either don't set reserved annotations or to force them to use a newer version of an annotation. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-annotations/restrict-annotations.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Some annotations control functionality driven by other cluster-wide tools and are not normally set by some class of users. This policy prevents the use of an annotation beginning with `fluxcd.io/`. This can be useful to ensure users either don't set reserved annotations or to force them to use a newer version of an annotation. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Annotation" -digest: cf1c58fd51dd74ce5fe3369919c7885c5a2f54bcd9c8d4ca38ee872662b8376f -createdAt: "2024-04-12T15:55:04Z" - diff --git a/other-cel/restrict-annotations/restrict-annotations.yaml b/other-cel/restrict-annotations/restrict-annotations.yaml deleted file mode 100644 index 3ac318e15..000000000 --- a/other-cel/restrict-annotations/restrict-annotations.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-annotations - annotations: - policies.kyverno.io/title: Restrict Annotations in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/minversion: 1.11.0 - policies.kyverno.io/subject: Pod, Annotation - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Some annotations control functionality driven by other cluster-wide tools and are not - normally set by some class of users. This policy prevents the use of an annotation beginning - with `fluxcd.io/`. This can be useful to ensure users either - don't set reserved annotations or to force them to use a newer version of an annotation. - pod-policies.kyverno.io/autogen-controllers: none -spec: - validationFailureAction: Audit - background: true - rules: - - name: block-flux-v1 - match: - any: - - resources: - kinds: - - Deployment - - CronJob - - Job - - StatefulSet - - DaemonSet - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.startsWith('fluxcd.io/'))" - message: Cannot use Flux v1 annotation. - diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2393d32be..000000000 --- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-binding-clusteradmin -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-binding-clusteradmin.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-binding-clusteradmin - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: rb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: rb-bad.yaml - - apply: - file: crb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: crb-bad.yaml - diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/crb-bad.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/crb-bad.yaml deleted file mode 100644 index d358dcad7..000000000 --- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/crb-bad.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: badcrb01 -subjects: -- kind: Group - name: manager - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: badcrb02 -subjects: -- kind: ServiceAccount - namespace: foo - name: manager -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/crb-good.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/crb-good.yaml deleted file mode 100644 index 613294872..000000000 --- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/crb-good.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: goodcrb01 -subjects: -- kind: Group - name: manager - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: secret-reader - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: goodcrb02 -subjects: -- kind: ServiceAccount - namespace: foo - name: manager -roleRef: - kind: ClusterRole - name: foo-reader - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 899bf3663..000000000 --- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-binding-clusteradmin -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/rb-bad.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/rb-bad.yaml deleted file mode 100644 index f367b8335..000000000 --- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/rb-bad.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: badrb01 -subjects: -- kind: User - name: foo - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: cluster-admin - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: badrb02 -subjects: -- kind: ServiceAccount - name: foo - namespace: foo -roleRef: - kind: Role - name: cluster-admin - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/rb-good.yaml b/other-cel/restrict-binding-clusteradmin/.chainsaw-test/rb-good.yaml deleted file mode 100644 index 9308e707a..000000000 --- a/other-cel/restrict-binding-clusteradmin/.chainsaw-test/rb-good.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: goodrb01 -subjects: -- kind: User - name: foo - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: foo-bar - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: goodrb02 -subjects: -- kind: ServiceAccount - name: foo - namespace: foo -roleRef: - kind: Role - name: foo-bar - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-clusteradmin/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-binding-clusteradmin/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8b2670ad9..000000000 --- a/other-cel/restrict-binding-clusteradmin/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-binding-clusteradmin -policies: -- ../restrict-binding-clusteradmin.yaml -resources: -- ../.chainsaw-test/crb-bad.yaml -- ../.chainsaw-test/crb-good.yaml -- ../.chainsaw-test/rb-bad.yaml -- ../.chainsaw-test/rb-good.yaml -results: -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: ClusterRoleBinding - resources: - - badcrb01 - - badcrb02 - result: fail -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: ClusterRoleBinding - resources: - - goodcrb01 - - goodcrb02 - result: pass -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: RoleBinding - resources: - - badrb01 - - badrb02 - result: fail -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: RoleBinding - resources: - - goodrb01 - - goodrb02 - result: pass - diff --git a/other-cel/restrict-binding-clusteradmin/artifacthub-pkg.yml b/other-cel/restrict-binding-clusteradmin/artifacthub-pkg.yml deleted file mode 100644 index b97c83f97..000000000 --- a/other-cel/restrict-binding-clusteradmin/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-binding-clusteradmin-cel -version: 1.0.0 -displayName: Restrict Binding to Cluster-Admin in CEL expressions -description: >- - The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml - ``` -keywords: - - kyverno - - Security - - CEL Expressions -readme: | - The cluster-admin ClusterRole allows any action to be performed on any resource in the cluster and its granting should be heavily restricted. This policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 7affbe90144f7d95e86ec9be12e95542296020026dd561cf79cd508b7dbb663d -createdAt: "2024-04-12T16:00:17Z" - diff --git a/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml b/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml deleted file mode 100644 index fd201e13b..000000000 --- a/other-cel/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-binding-clusteradmin - annotations: - policies.kyverno.io/title: Restrict Binding to Cluster-Admin in CEL expressions - policies.kyverno.io/category: Security in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - The cluster-admin ClusterRole allows any action to be performed on any resource - in the cluster and its granting should be heavily restricted. This - policy prevents binding to the cluster-admin ClusterRole in - RoleBinding or ClusterRoleBinding resources. -spec: - validationFailureAction: Audit - background: true - rules: - - name: clusteradmin-bindings - match: - any: - - resources: - kinds: - - RoleBinding - - ClusterRoleBinding - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.roleRef.name != 'cluster-admin'" - message: "Binding to cluster-admin is not allowed." - diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 614464468..000000000 --- a/other-cel/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-binding-system-groups -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-binding-system-groups.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-binding-system-groups - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: rb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: rb-bad.yaml - - apply: - file: crb-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: crb-bad.yaml - diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml deleted file mode 100644 index e7fca387d..000000000 --- a/other-cel/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: badcrb01 -subjects: -- kind: Group - name: "system:anonymous" - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: manager - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: badcrb02 -subjects: -- kind: Group - namespace: foo - name: "system:unauthenticated" - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: manager - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: badcrb03 -subjects: -- kind: Group - namespace: foo - name: "system:masters" - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: manager - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/crb-good.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/crb-good.yaml deleted file mode 100644 index 6dfc7360f..000000000 --- a/other-cel/restrict-binding-system-groups/.chainsaw-test/crb-good.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: goodcrb01 -subjects: -- kind: Group - name: secret-reader - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: manager - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: goodcrb02 -subjects: -- kind: ServiceAccount - namespace: foo - name: foo-reader -roleRef: - kind: ClusterRole - name: manager - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: goodcrb03 -subjects: -- kind: ServiceAccount - namespace: foo - name: "system.foo" -roleRef: - kind: ClusterRole - name: manager - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 4a404d804..000000000 --- a/other-cel/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-binding-system-groups -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/rb-bad.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/rb-bad.yaml deleted file mode 100644 index 963f4cbc6..000000000 --- a/other-cel/restrict-binding-system-groups/.chainsaw-test/rb-bad.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: badrb01 -subjects: -- kind: Group - name: "system:anonymous" - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: foo - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: badrb02 -subjects: -- kind: Group - name: "system:unauthenticated" - namespace: foo - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: foo - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: badrb03 -subjects: -- kind: Group - name: "system:masters" - namespace: foo - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: foo - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-system-groups/.chainsaw-test/rb-good.yaml b/other-cel/restrict-binding-system-groups/.chainsaw-test/rb-good.yaml deleted file mode 100644 index fa1225bc6..000000000 --- a/other-cel/restrict-binding-system-groups/.chainsaw-test/rb-good.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: goodrb01 -subjects: -- kind: User - name: foo - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: foo-bar - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: goodrb02 -subjects: -- kind: ServiceAccount - name: foo - namespace: foo -roleRef: - kind: Role - name: foo-bar - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: goodrb03 -subjects: -- kind: Group - name: "system:foo" - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: foo - apiGroup: rbac.authorization.k8s.io - diff --git a/other-cel/restrict-binding-system-groups/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-binding-system-groups/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 1b34b1e91..000000000 --- a/other-cel/restrict-binding-system-groups/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-binding-system-groups -policies: -- ../restrict-binding-system-groups.yaml -resources: -- ../.chainsaw-test/crb-bad.yaml -- ../.chainsaw-test/crb-good.yaml -- ../.chainsaw-test/rb-bad.yaml -- ../.chainsaw-test/rb-good.yaml -results: -- policy: restrict-binding-system-groups - rule: restrict-subject-groups - kind: ClusterRoleBinding - resources: - - badcrb01 - - badcrb02 - - badcrb03 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-subject-groups - kind: ClusterRoleBinding - resources: - - goodcrb01 - - goodcrb02 - - goodcrb03 - result: pass -- policy: restrict-binding-system-groups - rule: restrict-subject-groups - kind: RoleBinding - resources: - - badrb01 - - badrb02 - - badrb03 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-subject-groups - kind: RoleBinding - resources: - - goodrb01 - - goodrb02 - - goodrb03 - result: pass - diff --git a/other-cel/restrict-binding-system-groups/artifacthub-pkg.yml b/other-cel/restrict-binding-system-groups/artifacthub-pkg.yml deleted file mode 100644 index a6908e5bc..000000000 --- a/other-cel/restrict-binding-system-groups/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-binding-system-groups-cel -version: 1.0.0 -displayName: Restrict Binding System Groups in CEL expressions -description: >- - Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml - ``` -keywords: - - kyverno - - Security - - EKS Best Practices - - CEL Expressions -readme: | - Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 8a5fb4bfe55c063b3b14eaed7a81512548ce89cc7057aa5549723fefed670f1f -createdAt: "2024-04-12T16:28:28Z" - diff --git a/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml deleted file mode 100644 index 621f9fc7b..000000000 --- a/other-cel/restrict-binding-system-groups/restrict-binding-system-groups.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-binding-system-groups - annotations: - policies.kyverno.io/title: Restrict Binding System Groups in CEL expressions - policies.kyverno.io/category: Security, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Certain system groups exist in Kubernetes which grant permissions that - are used for certain system-level functions yet typically never appropriate - for other users. This policy prevents creating bindings to some of these - groups including system:anonymous, system:unauthenticated, and system:masters. -spec: - validationFailureAction: Audit - background: true - rules: - - name: restrict-subject-groups - match: - any: - - resources: - kinds: - - RoleBinding - - ClusterRoleBinding - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.subjects.all(subject, subject.name != 'system:anonymous')" - message: "Binding to system:anonymous is not allowed." - - expression: "object.subjects.all(subject, subject.name != 'system:unauthenticated')" - message: "Binding to system:unauthenticated is not allowed." - - expression: "object.subjects.all(subject, subject.name != 'system:masters')" - message: "Binding to system:masters is not allowed." - diff --git a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 5e299aa72..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-clusterrole-nodesproxy -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-clusterrole-nodesproxy.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-clusterrole-nodesproxy - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: cr-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cr-bad.yaml - diff --git a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-bad.yaml b/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-bad.yaml deleted file mode 100644 index 630cd4da2..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-bad.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["nodes/proxy", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: [""] - resources: ["pods", "nodes/proxy"] - verbs: ["get", "watch", "list"] - diff --git a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-good.yaml b/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-good.yaml deleted file mode 100644 index ebb870b7c..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/cr-good.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: omitted-rules ---- diff --git a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 5915caeff..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-clusterrole-nodesproxy -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 1aa25d73c..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-clusterrole-nodesproxy -policies: -- ../restrict-clusterrole-nodesproxy.yaml -resources: -- resource.yaml -results: -- policy: restrict-clusterrole-nodesproxy - rule: clusterrole-nodesproxy - kind: ClusterRole - resources: - - badcr01 - - badcr02 - result: fail -- policy: restrict-clusterrole-nodesproxy - rule: clusterrole-nodesproxy - kind: ClusterRole - resources: - - goodcr01 - - goodcr02 - - default-rules - result: pass - diff --git a/other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/resource.yaml b/other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/resource.yaml deleted file mode 100644 index e33b146f9..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/.kyverno-test/resource.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["nodes/proxy", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: [""] - resources: ["pods", "nodes/proxy"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "watch", "list"] ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: default-rules -rules: null ---- diff --git a/other-cel/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml b/other-cel/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml deleted file mode 100644 index ee8e3bd59..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-clusterrole-nodesproxy-cel -version: 1.0.0 -displayName: Restrict ClusterRole with Nodes Proxy in CEL expressions -description: >- - A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ClusterRole, RBAC" -digest: 070dd3d53f7c50f1cdbb48643fc69d73ba1af9766f5eba3809e42058d72f885c -createdAt: "2024-04-13T16:12:56Z" - diff --git a/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml deleted file mode 100644 index 65e835a45..000000000 --- a/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-clusterrole-nodesproxy - annotations: - policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: ClusterRole, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - A ClusterRole with nodes/proxy resource access allows a user to - perform anything the kubelet API allows. It also allows users to bypass - the API server and talk directly to the kubelet potentially circumventing - audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac - for more info. This policy prevents the creation - of a ClusterRole if it contains the nodes/proxy resource. -spec: - validationFailureAction: Audit - background: true - rules: - - name: clusterrole-nodesproxy - match: - any: - - resources: - kinds: - - ClusterRole - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.rules == null || - !object.rules.exists(rule, - rule.resources.exists(resource, resource == 'nodes/proxy') && - rule.apiGroups.exists(apiGroup, apiGroup == '')) - message: "A ClusterRole containing the nodes/proxy resource is not allowed." - diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 418a7bed3..000000000 --- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-controlplane-scheduling -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-controlplane-scheduling.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-controlplane-scheduling - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 901316bbf..000000000 --- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "foo" - operator: "Equal" - value: "bar" - effect: "NoExecute" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 7c8c3631e..000000000 --- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/foo-bar" - operator: "Equal" - value: "bar" - effect: "NoExecute" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 1f0031330..000000000 --- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 3cadca17c..000000000 --- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/foo-bar" - operator: "Equal" - value: "bar" - effect: "NoExecute" - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - tolerations: - - key: "node-role.kubernetes.io/foo-bar" - operator: "Equal" - value: "bar" - effect: "NoExecute" - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - restartPolicy: OnFailure - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 06a62838f..000000000 --- a/other-cel/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-controlplane-scheduling -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-controlplane-scheduling/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-controlplane-scheduling/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 298a91b15..000000000 --- a/other-cel/restrict-controlplane-scheduling/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-controlplane-scheduling -policies: -- ../restrict-controlplane-scheduling.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: restrict-controlplane-scheduling - resources: - - default/badpod01 - - default/badpod02 - result: fail - rule: restrict-controlplane-scheduling-master -- kind: Pod - policy: restrict-controlplane-scheduling - resources: - - default/goodpod01 - - default/goodpod02 - result: pass - rule: restrict-controlplane-scheduling-master - diff --git a/other-cel/restrict-controlplane-scheduling/.kyverno-test/resource.yaml b/other-cel/restrict-controlplane-scheduling/.kyverno-test/resource.yaml deleted file mode 100644 index 56f1d6e43..000000000 --- a/other-cel/restrict-controlplane-scheduling/.kyverno-test/resource.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - nodeSelector: - kubernetes.io/hostname: minikube - containers: - - image: nginx - name: pod - restartPolicy: Always - ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - nodeSelector: - kubernetes.io/hostname: minikube - containers: - - image: nginx - name: pod - restartPolicy: Always ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - tolerations: - - key: "foo-bar" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/foo-bar" - operator: "Equal" - value: "bar" - effect: "NoExecute" - containers: - - name: busybox - image: busybox:1.35 - diff --git a/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml b/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml deleted file mode 100644 index a8da31fe7..000000000 --- a/other-cel/restrict-controlplane-scheduling/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-controlplane-scheduling-cel -version: 1.0.0 -displayName: Restrict control plane scheduling in CEL expressions -description: >- - Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable because it takes away resources from the control plane components and can represent a possible security threat vector. This policy prevents users from setting a toleration in a Pod spec which allows running on control plane nodes with the taint key `node-role.kubernetes.io/master`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable because it takes away resources from the control plane components and can represent a possible security threat vector. This policy prevents users from setting a toleration in a Pod spec which allows running on control plane nodes with the taint key `node-role.kubernetes.io/master`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: e170af87f00d51c0a020dc88bf48c1aa1c213f7890f517dbeb898c9456722a46 -createdAt: "2024-04-13T16:19:01Z" - diff --git a/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml b/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml deleted file mode 100644 index 058c1e252..000000000 --- a/other-cel/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-controlplane-scheduling - annotations: - policies.kyverno.io/title: Restrict control plane scheduling in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable - because it takes away resources from the control plane components and can represent - a possible security threat vector. This policy prevents users from setting a toleration - in a Pod spec which allows running on control plane nodes - with the taint key `node-role.kubernetes.io/master`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: restrict-controlplane-scheduling-master - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - !has(object.spec.tolerations) || - !object.spec.tolerations.exists(toleration, toleration.?key.orValue('') in ['node-role.kubernetes.io/master', 'node-role.kubernetes.io/control-plane']) - message: Pods may not use tolerations which schedule on control plane nodes. - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 55da6024c..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-deprecated-registry -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../restrict-deprecated-registry.yaml - - apply: - file: ns.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/ns.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/ns.yaml deleted file mode 100644 index 2d9245781..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: dep-registry-ns - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index e4bf60b12..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: k8s.gcr.io/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - initContainers: - - name: busybox-init - image: k8s.gcr.io/busybox:1.35 - - name: busybox-init-again - image: foo.gcr.io/busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-init-again - image: foo.gcr.io/busybox:1.35 - containers: - - name: busybox - image: k8s.gcr.io/busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: busybox-init - image: docker.io/busybox:1.35 - - name: busybox-init-again - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: registry.k8s.io/busybox:1.35 - - name: busybox02 - image: k8s.gcr.io/busybox:1.35 - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 65b1e4ffb..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: dep-registry-ns -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - namespace: dep-registry-ns -spec: - initContainers: - - name: busybox-init - image: ghcr.io/busybox:1.35 - - name: busybox-init-again - image: registry.k8s.io/busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 3e31a9c90..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 - namespace: dep-registry-ns -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - initContainers: - - name: busybox-init - image: ghcr.io/busybox:1.35 - - name: busybox-init-again - image: registry.k8s.io/busybox:1.35 - containers: - - name: busybox - image: k8s.gcr.io/busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 - namespace: dep-registry-ns -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: busybox-init - image: k8s.gcr.io/busybox:1.35 - - name: busybox-init-again - image: registry.k8s.io/busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 578157020..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 - namespace: dep-registry-ns -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - initContainers: - - name: busybox-init - image: ghcr.io/busybox:1.35 - - name: busybox-init-again - image: registry.k8s.io/busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 - namespace: dep-registry-ns -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: busybox-init - image: ghcr.io/busybox:1.35 - - name: busybox-init-again - image: registry.k8s.io/busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: docker.io/busybox:1.35 - diff --git a/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 83406554a..000000000 --- a/other-cel/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-deprecated-registry -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-deprecated-registry/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-deprecated-registry/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8fff95200..000000000 --- a/other-cel/restrict-deprecated-registry/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-deprecated-registry -policies: -- ../restrict-deprecated-registry.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: restrict-deprecated-registry - resources: - - policy-test/test-pod-bad - result: fail - rule: restrict-deprecated-registry -- kind: Pod - policy: restrict-deprecated-registry - resources: - - policy-test/test-pod-good - result: pass - rule: restrict-deprecated-registry - diff --git a/other-cel/restrict-deprecated-registry/.kyverno-test/resource.yaml b/other-cel/restrict-deprecated-registry/.kyverno-test/resource.yaml deleted file mode 100644 index c7b8143a4..000000000 --- a/other-cel/restrict-deprecated-registry/.kyverno-test/resource.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: test-pod-bad - namespace: policy-test - labels: - app: test -spec: - containers: - - name: test - image: k8s.gcr.io/google-containers/pause:3.2 - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-pod-good - namespace: policy-test - labels: - app: test -spec: - containers: - - name: test - image: registry.k8s.io/google-containers/pause:3.2 - imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - diff --git a/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml b/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml deleted file mode 100644 index 87c07d1d4..000000000 --- a/other-cel/restrict-deprecated-registry/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-deprecated-registry-cel -version: 1.0.0 -displayName: Restrict Deprecated Registry in CEL expressions -description: >- - Legacy k8s.gcr.io container image registry will be frozen in early April 2023 k8s.gcr.io image registry will be frozen from the 3rd of April 2023. Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. Please read our announcement for more details. https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml - ``` -keywords: - - kyverno - - Best Practices - - EKS Best Practices - - CEL Expressions -readme: | - Legacy k8s.gcr.io container image registry will be frozen in early April 2023 k8s.gcr.io image registry will be frozen from the 3rd of April 2023. Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. Please read our announcement for more details. https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.27-1.28" - kyverno/subject: "Pod" -digest: 467f0243c9c131c5328e87edcd39a3f2831d3adc2ec5037c547a053ba304f6ee -createdAt: "2024-04-13T16:21:40Z" - diff --git a/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml b/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml deleted file mode 100644 index 218cb3781..000000000 --- a/other-cel/restrict-deprecated-registry/restrict-deprecated-registry.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-deprecated-registry - annotations: - policies.kyverno.io/title: Restrict Deprecated Registry in CEL expressions - policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL - policies.kyverno.io/severity: high - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.27-1.28" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Legacy k8s.gcr.io container image registry will be frozen in early April 2023 - k8s.gcr.io image registry will be frozen from the 3rd of April 2023. - Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry. - Please read our announcement for more details. - https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ -spec: - validationFailureAction: Enforce - background: true - rules: - - name: restrict-deprecated-registry - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: "variables.allContainers.all(container, !container.image.startsWith('k8s.gcr.io/'))" - message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used." - diff --git a/other-cel/restrict-edit-for-endpoints/artifacthub-pkg.yml b/other-cel/restrict-edit-for-endpoints/artifacthub-pkg.yml deleted file mode 100644 index fb9ab8d60..000000000 --- a/other-cel/restrict-edit-for-endpoints/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: restrict-edit-for-endpoints-cel -version: 1.0.0 -displayName: Restrict Edit for Endpoints CVE-2021-25740 in CEL expressions -description: >- - Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue defined in CVE-2021-25740 which could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. This was due to the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. This policy, intended to run in background mode, checks if your cluster is vulnerable to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have the edit permission of Endpoints. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml - ``` -keywords: - - kyverno - - Security - - CEL Expressions -readme: | - Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue defined in CVE-2021-25740 which could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. This was due to the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. This policy, intended to run in background mode, checks if your cluster is vulnerable to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have the edit permission of Endpoints. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ClusterRole" -digest: 1744f09b521d94f2d72bd0d7f50986ccd07cc90a9f66dbbdbaa985ca8c8e5b7e -createdAt: "2024-05-19T14:59:05Z" diff --git a/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml b/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml deleted file mode 100644 index f1539a014..000000000 --- a/other-cel/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-edit-for-endpoints - annotations: - policies.kyverno.io/title: Restrict Edit for Endpoints CVE-2021-25740 in CEL expressions - policies.kyverno.io/category: Security in CEL - policies.kyverno.io/severity: low - policies.kyverno.io/subject: ClusterRole - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue - defined in CVE-2021-25740 which could enable users to send network traffic to locations - they would otherwise not have access to via a confused deputy attack. This was due to - the system:aggregate-to-edit ClusterRole having edit permission of Endpoints. - This policy, intended to run in background mode, checks if your cluster is vulnerable - to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have - the edit permission of Endpoints. -spec: - validationFailureAction: Audit - background: true - rules: - - name: system-aggregate-to-edit-check - match: - any: - - resources: - kinds: - - ClusterRole - names: - - system:aggregate-to-edit - validate: - cel: - expressions: - - expression: "!object.rules.exists(rule, 'endpoints' in rule.resources && 'edit' in rule.verbs)" - message: >- - This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole - should not have edit permission over Endpoints. - diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index bc6cef1cd..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-escalation-verbs-roles -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-escalation-verbs-roles.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-escalation-verbs-roles - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: cr-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cr-bad.yaml - - apply: - file: role-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: role-bad.yaml - diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml deleted file mode 100644 index d9660e25b..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["bind", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["update", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["get", "watch", "list"] -- apiGroups: ["batches", "rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["update", "escalate", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["get", "watch", "bind"] -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["batches", "rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr04 -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] - - \ No newline at end of file diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-good.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-good.yaml deleted file mode 100644 index 01050774c..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/cr-good.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["update", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: omitted-rules ---- diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index f0dabb37a..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-escalation-verbs-roles -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-bad.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-bad.yaml deleted file mode 100644 index 4bf731aef..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-bad.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["bind", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["update", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole02 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["get", "watch", "list"] -- apiGroups: ["batches", "rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["update", "escalate", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole03 -rules: -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["get", "watch", "bind"] -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["batches"] - resources: ["jobs"] - verbs: ["get", "watch", "list"] - diff --git a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-good.yaml b/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-good.yaml deleted file mode 100644 index a12463103..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.chainsaw-test/role-good.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io", "apps"] - resources: ["deployments", "roles"] - verbs: ["get", "watch", "list"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["update", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole02 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: omitted-rules ---- diff --git a/other-cel/restrict-escalation-verbs-roles/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-escalation-verbs-roles/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index ca7c0fea2..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-escalation-verbs-roles -policies: -- ../restrict-escalation-verbs-roles.yaml -resources: -- resource.yaml -results: -- kind: ClusterRole - policy: restrict-escalation-verbs-roles - resources: - - badclusterrole01 - - badclusterrole02 - result: fail - rule: escalate -- kind: Role - policy: restrict-escalation-verbs-roles - resources: - - badrole01 - result: fail - rule: escalate -- kind: ClusterRole - policy: restrict-escalation-verbs-roles - resources: - - goodclusterrole01 - - goodclusterrole02 - - default-rules - result: pass - rule: escalate -- kind: Role - policy: restrict-escalation-verbs-roles - resources: - - goodrole01 - - default-rules - result: pass - rule: escalate - diff --git a/other-cel/restrict-escalation-verbs-roles/.kyverno-test/resource.yaml b/other-cel/restrict-escalation-verbs-roles/.kyverno-test/resource.yaml deleted file mode 100644 index fcb657c25..000000000 --- a/other-cel/restrict-escalation-verbs-roles/.kyverno-test/resource.yaml +++ /dev/null @@ -1,145 +0,0 @@ -# Source: keda-base/charts/keda/templates/10-keda-clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodclusterrole01 -rules: -- apiGroups: - - "" - resources: - - configmaps - - configmaps/status - - events - verbs: - - '*' -- apiGroups: - - "" - resources: - - external - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get -- apiGroups: - - '*' - resources: - - '*/scale' - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - - statefulsets - verbs: - - list - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - '*' -# Source: keda-base/charts/keda/templates/20-metrics-clusterrole.yaml -- apiGroups: - - external.metrics.k8s.io - resources: - - '*' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodclusterrole02 # system:discovery -rules: -- nonResourceURLs: - - /api - - /api/* - - /apis - - /apis/* - - /healthz - - /livez - - /openapi - - /openapi/* - - /readyz - - /version - - /version/ - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badclusterrole01 -rules: -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - escalate ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badclusterrole02 -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: default-rules -rules: null ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole01 -rules: -- apiGroups: - - "" - resources: - - configmaps - - configmaps/status - - events - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole01 -rules: -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - impersonate ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: default-rules -rules: null ---- diff --git a/other-cel/restrict-escalation-verbs-roles/artifacthub-pkg.yml b/other-cel/restrict-escalation-verbs-roles/artifacthub-pkg.yml deleted file mode 100644 index 05f5dd53a..000000000 --- a/other-cel/restrict-escalation-verbs-roles/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-escalation-verbs-roles-cel -version: 1.0.0 -displayName: Restrict Escalation Verbs in Roles in CEL expressions -description: >- - The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml - ``` -keywords: - - kyverno - - Security - - CEL Expressions -readme: | - The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Role, ClusterRole, RBAC" -digest: 44c62b5989a9e99a591a95db11463125b7a8c0ad172e08881e527cebb3423293 -createdAt: "2024-04-14T15:40:58Z" - diff --git a/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml deleted file mode 100644 index 3191b9904..000000000 --- a/other-cel/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-escalation-verbs-roles - annotations: - policies.kyverno.io/title: Restrict Escalation Verbs in Roles in CEL expressions - policies.kyverno.io/category: Security in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to - privilege escalation and should be tightly controlled. This policy prevents - use of these verbs in Role or ClusterRole resources. -spec: - validationFailureAction: Audit - background: true - rules: - - name: escalate - match: - any: - - resources: - kinds: - - Role - - ClusterRole - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: apiGroups - expression: "['*', 'rbac.authorization.k8s.io']" - - name: resources - expression: "['*', 'clusterroles', 'roles']" - - name: verbs - expression: "['*', 'bind', 'escalate', 'impersonate']" - expressions: - - expression: >- - object.rules == null || - !object.rules.exists(rule, - rule.apiGroups.exists(apiGroup, apiGroup in variables.apiGroups) && - rule.resources.exists(resource, resource in variables.resources) && - rule.verbs.exists(verb, verb in variables.verbs)) - message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." - diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 0340a8cf3..000000000 --- a/other-cel/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-ingress-classes -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-ingress-classes.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-ingress-classes - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ingress-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ingress-bad.yaml - diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml deleted file mode 100644 index bbacc6aa1..000000000 --- a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - name: badingress01 -spec: - rules: - - host: endpoint01 - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: "foo" - kyverno.io/foo: bar - name: badingress02 -spec: - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml deleted file mode 100644 index 997bb6f42..000000000 --- a/other-cel/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.class: "HAProxy" - name: goodingress01 -spec: - rules: - - host: endpoint01 - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: "nginx" - kyverno.io/foo: bar - name: goodingress02 -spec: - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 63621d2a2..000000000 --- a/other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-classes -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-ingress-classes/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-ingress-classes/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 830762887..000000000 --- a/other-cel/restrict-ingress-classes/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-ingress-classes -policies: -- ../restrict-ingress-classes.yaml -resources: -- resource.yaml -results: -- kind: Ingress - policy: restrict-ingress-classes - resources: - - default/minimal-ingress-2 - result: fail - rule: validate-ingress -- kind: Ingress - policy: restrict-ingress-classes - resources: - - default/minimal-ingress-1 - result: pass - rule: validate-ingress - diff --git a/other-cel/restrict-ingress-classes/.kyverno-test/resource.yaml b/other-cel/restrict-ingress-classes/.kyverno-test/resource.yaml deleted file mode 100644 index ccb97ba46..000000000 --- a/other-cel/restrict-ingress-classes/.kyverno-test/resource.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minimal-ingress-1 - annotations: - kubernetes.io/ingress.class: "HAProxy" - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minimal-ingress-2 - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-classes/artifacthub-pkg.yml b/other-cel/restrict-ingress-classes/artifacthub-pkg.yml deleted file mode 100644 index 2d9abc2fd..000000000 --- a/other-cel/restrict-ingress-classes/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-ingress-classes-cel -version: 1.0.0 -displayName: Restrict Ingress Classes in CEL expressions -description: >- - Ingress classes should only be allowed which match up to deployed Ingress controllers in the cluster. Allowing users to define classes which cannot be satisfied by a deployed Ingress controller can result in either no or undesired functionality. This policy checks Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass resource. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Ingress classes should only be allowed which match up to deployed Ingress controllers in the cluster. Allowing users to define classes which cannot be satisfied by a deployed Ingress controller can result in either no or undesired functionality. This policy checks Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass resource. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: 669b46277fefe37d17931a7c5ef66ab297dbe9c7881390ad7f0b75c8891ac303 -createdAt: "2024-04-14T15:43:33Z" - diff --git a/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml b/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml deleted file mode 100644 index 73ad00fc2..000000000 --- a/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-classes - annotations: - policies.kyverno.io/title: Restrict Ingress Classes in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Ingress - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Ingress classes should only be allowed which match up to deployed Ingress controllers - in the cluster. Allowing users to define classes which cannot be satisfied by a deployed - Ingress controller can result in either no or undesired functionality. This policy checks - Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective - annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass - resource. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-ingress - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.metadata.?annotations[?'kubernetes.io/ingress.class'].orValue('') in ['HAProxy', 'nginx'] - message: "Unknown ingress class." - diff --git a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 838fbc640..000000000 --- a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-ingress-defaultbackend -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-ingress-defaultbackend.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-ingress-defaultbackend - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ingress-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ingress-bad.yaml - diff --git a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-bad.yaml b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-bad.yaml deleted file mode 100644 index e46888ccb..000000000 --- a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-bad.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress01 -spec: - defaultBackend: - resource: - apiGroup: k8s.example.com - kind: StorageBucket - name: static-assets ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 -spec: - defaultBackend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml deleted file mode 100644 index e35151a01..000000000 --- a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress01 -spec: - rules: - - host: endpoint01 - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress02 -spec: - rules: - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index a55f67374..000000000 --- a/other-cel/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-defaultbackend -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-ingress-defaultbackend/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-ingress-defaultbackend/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 7b744c929..000000000 --- a/other-cel/restrict-ingress-defaultbackend/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-node-defaultbackend -policies: -- ../restrict-ingress-defaultbackend.yaml -resources: -- resource.yaml -results: -- kind: Ingress - policy: restrict-ingress-defaultbackend - resources: - - default/sample-app-1 - result: fail - rule: restrict-ingress-defaultbackend -- kind: Ingress - policy: restrict-ingress-defaultbackend - resources: - - default/sample-app-2 - result: pass - rule: restrict-ingress-defaultbackend - diff --git a/other-cel/restrict-ingress-defaultbackend/.kyverno-test/resource.yaml b/other-cel/restrict-ingress-defaultbackend/.kyverno-test/resource.yaml deleted file mode 100644 index 015bc445c..000000000 --- a/other-cel/restrict-ingress-defaultbackend/.kyverno-test/resource.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: sample-app-1 - namespace: default -spec: - defaultBackend: - service: - name: sample-backend - port: - number: 80 - rules: - - host: sample-frontend.example.com - http: - paths: - - backend: - service: - name: sample-frontend - port: - number: 80 - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - sample-frontend.example.com - secretName: sample-frontend-tls ---- - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: sample-app-2 - namespace: default -spec: - rules: - - host: sample-backend.example.com - http: - paths: - - backend: - service: - name: sample-backend - port: - number: 80 - path: / - pathType: ImplementationSpecific - - host: sample-frontend.example.com - http: - paths: - - backend: - service: - name: sample-frontend - port: - number: 80 - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - sample-backend.example.com - secretName: sample-backend-tls - - hosts: - - sample-frontend.example.com - secretName: sample-frontend-tls - diff --git a/other-cel/restrict-ingress-defaultbackend/artifacthub-pkg.yml b/other-cel/restrict-ingress-defaultbackend/artifacthub-pkg.yml deleted file mode 100644 index 7374d591a..000000000 --- a/other-cel/restrict-ingress-defaultbackend/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-ingress-defaultbackend-cel -version: 1.0.0 -displayName: Restrict Ingress defaultBackend in CEL expressions -description: >- - An Ingress with no rules sends all traffic to a single default backend. The defaultBackend is conventionally a configuration option of the Ingress controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to your default backend. In a multi-tenant environment, you want users to use explicit hosts, they should not be able to overwrite the global default backend service. This policy prohibits the use of the defaultBackend field. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml - ``` -keywords: - - kyverno - - Best Practices - - CEL Expressions -readme: | - An Ingress with no rules sends all traffic to a single default backend. The defaultBackend is conventionally a configuration option of the Ingress controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to your default backend. In a multi-tenant environment, you want users to use explicit hosts, they should not be able to overwrite the global default backend service. This policy prohibits the use of the defaultBackend field. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: b4e07522bb17d990d112a2ba7a472c9662be01358fd8caa9806186246ffa7521 -createdAt: "2024-04-14T15:45:57Z" - diff --git a/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml b/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml deleted file mode 100644 index af50efc35..000000000 --- a/other-cel/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-defaultbackend - annotations: - policies.kyverno.io/title: Restrict Ingress defaultBackend in CEL expressions - policies.kyverno.io/category: Best Practices in CEL - policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - An Ingress with no rules sends all traffic to a single default backend. The defaultBackend - is conventionally a configuration option of the Ingress controller and is not specified in - your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress - objects, the traffic is routed to your default backend. In a multi-tenant environment, you - want users to use explicit hosts, they should not be able to overwrite the global default backend - service. This policy prohibits the use of the defaultBackend field. -spec: - validationFailureAction: Audit - background: true - rules: - - name: restrict-ingress-defaultbackend - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!has(object.spec.defaultBackend)" - message: Setting the defaultBackend field is prohibited. - diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 6361d5eb8..000000000 --- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-ingress-wildcard -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-ingress-wildcard.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-ingress-wildcard - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ingress-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ingress-bad.yaml - diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml deleted file mode 100644 index f54f1e3bf..000000000 --- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress01 -spec: - rules: - - host: "*.foo.bar" - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 -spec: - rules: - - host: foo-bar - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: "*.example.com" - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress03 -spec: - rules: - - host: "*.bar" - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: foo-bar - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml deleted file mode 100644 index aa30b1149..000000000 --- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress01 -spec: - rules: - - host: endpoint01 - https: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: goodingress02 -spec: - rules: - - host: endpoint02 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint01 - https: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - diff --git a/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 128b1e40c..000000000 --- a/other-cel/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-wildcard -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-ingress-wildcard/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-ingress-wildcard/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c2fdee981..000000000 --- a/other-cel/restrict-ingress-wildcard/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-ingress-wildcard -policies: -- ../restrict-ingress-wildcard.yaml -resources: -- resources.yaml -results: -- kind: Ingress - policy: restrict-ingress-wildcard - resources: - - bading01 - - bading02 - result: fail - rule: block-ingress-wildcard -- kind: Ingress - policy: restrict-ingress-wildcard - resources: - - gooding01 - - gooding02 - result: pass - rule: block-ingress-wildcard - diff --git a/other-cel/restrict-ingress-wildcard/.kyverno-test/resources.yaml b/other-cel/restrict-ingress-wildcard/.kyverno-test/resources.yaml deleted file mode 100644 index 6b0616771..000000000 --- a/other-cel/restrict-ingress-wildcard/.kyverno-test/resources.yaml +++ /dev/null @@ -1,109 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bading01 - labels: - app: kuard -spec: - rules: - - host: '*.foo.com' - http: - paths: - - backend: - service: - name: kuard - port: - number: 8080 - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - kuard ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bading02 - labels: - app: kuard -spec: - rules: - - host: host1.foo.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8080 - path: / - pathType: ImplementationSpecific - - host: '*.foo.com' - http: - paths: - - backend: - service: - name: star - port: - number: 8082 - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - kuard ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gooding01 - labels: - app: kuard -spec: - rules: - - host: corp.foo.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8080 - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - kuard ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gooding02 - labels: - app: kuard -spec: - rules: - - host: corp.foo.com - http: - paths: - - backend: - service: - name: kuard - port: - number: 8080 - path: / - pathType: ImplementationSpecific - - host: bar.foo.com - http: - paths: - - backend: - service: - name: bar - port: - number: 8082 - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - kuard - diff --git a/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml b/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml deleted file mode 100644 index d95a50d54..000000000 --- a/other-cel/restrict-ingress-wildcard/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-ingress-wildcard-cel -version: 1.0.0 -displayName: Restrict Ingress Host with Wildcards in CEL expressions -description: >- - Ingress hosts optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given Ingress resource. This policy enforces that any Ingress host does not contain a wildcard character. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Ingress hosts optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given Ingress resource. This policy enforces that any Ingress host does not contain a wildcard character. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Ingress" -digest: 4a41226fe1301a55f1f7dfadbc3ee87ee05ae981500b5b956dd44d62718eed2f -createdAt: "2024-04-15T18:06:41Z" - diff --git a/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml b/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml deleted file mode 100644 index 7e494cd9e..000000000 --- a/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-ingress-wildcard - annotations: - policies.kyverno.io/title: Restrict Ingress Host with Wildcards in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - Ingress hosts optionally accept a wildcard as an alternative - to precise matching. In some cases, this may be too permissive as it - would direct unintended traffic to the given Ingress resource. This - policy enforces that any Ingress host does not contain a wildcard - character. -spec: - validationFailureAction: Audit - background: true - rules: - - name: block-ingress-wildcard - match: - any: - - resources: - kinds: - - Ingress - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!object.spec.?rules.orValue([]).exists(rule, has(rule.host) && rule.host.contains('*'))" - message: "Wildcards are not permitted as hosts." - diff --git a/other-cel/restrict-jobs/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-jobs/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 0537560b5..000000000 --- a/other-cel/restrict-jobs/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-jobs -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-jobs.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: jobs-bad.yaml - - apply: - file: cronjobs-good.yaml diff --git a/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml b/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml deleted file mode 100644 index 8118a2876..000000000 --- a/other-cel/restrict-jobs/.chainsaw-test/cronjobs-good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "3600"] - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml b/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml deleted file mode 100644 index ef62a007b..000000000 --- a/other-cel/restrict-jobs/.chainsaw-test/jobs-bad.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: badjob -spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ["sleep", "3600"] - restartPolicy: Never \ No newline at end of file diff --git a/other-cel/restrict-jobs/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-jobs/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 118a84bec..000000000 --- a/other-cel/restrict-jobs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-jobs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/other-cel/restrict-jobs/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-jobs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c2e9af736..000000000 --- a/other-cel/restrict-jobs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-jobs -policies: -- ../restrict-jobs.yaml -resources: -- resource.yaml -results: -- policy: restrict-jobs - rule: restrict-job-from-cronjob - kind: Job - resources: - - badjob - result: fail -- policy: restrict-jobs - rule: restrict-job-from-cronjob - kind: Job - resources: - - goodjob - result: skip diff --git a/other-cel/restrict-jobs/.kyverno-test/resource.yaml b/other-cel/restrict-jobs/.kyverno-test/resource.yaml deleted file mode 100644 index 6e48e4443..000000000 --- a/other-cel/restrict-jobs/.kyverno-test/resource.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: badjob -spec: - template: - spec: - containers: - - name: busybox - image: busybox:1.35 - command: ["sleep", "3600"] - restartPolicy: Never ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: goodjob - ownerReferences: - - apiVersion: batch/v1 - blockOwnerDeletion: true - controller: true - kind: CronJob - name: goodcronjob01 - uid: a554d6b8-8b0a-44da-a9d9-d76a1f85b320 -spec: - template: - spec: - containers: - - name: busybox - image: busybox:1.35 - command: ["sleep", "3600"] - restartPolicy: Never \ No newline at end of file diff --git a/other-cel/restrict-jobs/artifacthub-pkg.yml b/other-cel/restrict-jobs/artifacthub-pkg.yml deleted file mode 100644 index 1f1b05fb6..000000000 --- a/other-cel/restrict-jobs/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: restrict-jobs-cel -version: 1.0.0 -displayName: Restrict Jobs in CEL expressions -description: >- - Jobs can be created directly and indirectly via a CronJob controller. In some cases, users may want to only allow Jobs if they are created via a CronJob. This policy restricts Jobs so they may only be created by a CronJob. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-jobs/restrict-jobs.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Jobs can be created directly and indirectly via a CronJob controller. In some cases, users may want to only allow Jobs if they are created via a CronJob. This policy restricts Jobs so they may only be created by a CronJob. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Job" -digest: d8806389e8dd3e8ed5a2fe1a38fe4e4dec080af79d2cca7e684ddb46f244c6be -createdAt: "2024-05-19T16:05:23Z" diff --git a/other-cel/restrict-jobs/restrict-jobs.yaml b/other-cel/restrict-jobs/restrict-jobs.yaml deleted file mode 100644 index 13b836675..000000000 --- a/other-cel/restrict-jobs/restrict-jobs.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-jobs - annotations: - policies.kyverno.io/title: Restrict Jobs in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Job - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Jobs can be created directly and indirectly via a CronJob controller. - In some cases, users may want to only allow Jobs if they are created via a CronJob. - This policy restricts Jobs so they may only be created by a CronJob. -spec: - validationFailureAction: Enforce - rules: - - name: restrict-job-from-cronjob - match: - any: - - resources: - kinds: - - Job - celPreconditions: - - name: "not-created-by-cronjob" - expression: "!has(object.metadata.ownerReferences) || object.metadata.ownerReferences[0].kind != 'CronJob'" - validate: - cel: - expressions: - - expression: "false" - message: Jobs are only allowed if spawned from CronJobs. - diff --git a/other-cel/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 95651dfd0..000000000 --- a/other-cel/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-loadbalancer -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-loadbalancer.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: no-loadbalancer-service - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: svc-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: svc-bad.yaml - diff --git a/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index aec687efe..000000000 --- a/other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-loadbalancer-service -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-loadbalancer/.chainsaw-test/svc-bad.yaml b/other-cel/restrict-loadbalancer/.chainsaw-test/svc-bad.yaml deleted file mode 100644 index 255ca0c2f..000000000 --- a/other-cel/restrict-loadbalancer/.chainsaw-test/svc-bad.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badsvc01 -spec: - selector: - app: nginx - ports: - - port: 80 - targetPort: 80 - type: LoadBalancer - diff --git a/other-cel/restrict-loadbalancer/.chainsaw-test/svc-good.yaml b/other-cel/restrict-loadbalancer/.chainsaw-test/svc-good.yaml deleted file mode 100644 index a14a0e652..000000000 --- a/other-cel/restrict-loadbalancer/.chainsaw-test/svc-good.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodsvc01 -spec: - selector: - app: nginx - ports: - - port: 80 - targetPort: 80 - nodePort: 30007 - type: NodePort - diff --git a/other-cel/restrict-loadbalancer/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-loadbalancer/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 088d61db2..000000000 --- a/other-cel/restrict-loadbalancer/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: no-loadbalancer-service -policies: -- ../restrict-loadbalancer.yaml -resources: -- resource.yaml -results: -- kind: Service - policy: no-loadbalancer-service - resources: - - default/my-service-1 - result: fail - rule: no-LoadBalancer -- kind: Service - policy: no-loadbalancer-service - resources: - - default/my-service-2 - result: pass - rule: no-LoadBalancer - diff --git a/other-cel/restrict-loadbalancer/.kyverno-test/resource.yaml b/other-cel/restrict-loadbalancer/.kyverno-test/resource.yaml deleted file mode 100644 index eaa1dd3ee..000000000 --- a/other-cel/restrict-loadbalancer/.kyverno-test/resource.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: my-service-1 -spec: - selector: - app: myapp-1 - ports: - - port: 80 - targetPort: 80 - type: LoadBalancer - ---- -apiVersion: v1 -kind: Service -metadata: - name: my-service-2 -spec: - selector: - app: MyApp - ports: - - port: 80 - targetPort: 80 - nodePort: 30007 - type: NodePort - diff --git a/other-cel/restrict-loadbalancer/artifacthub-pkg.yml b/other-cel/restrict-loadbalancer/artifacthub-pkg.yml deleted file mode 100644 index 5917a62f1..000000000 --- a/other-cel/restrict-loadbalancer/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-loadbalancer-cel -version: 1.0.0 -displayName: Disallow Service Type LoadBalancer in CEL expressions -description: >- - Especially in cloud provider environments, a Service having type LoadBalancer will cause the provider to respond by creating a load balancer somewhere in the customer account. This adds cost and complexity to a deployment. Without restricting this ability, users may easily overrun established budgets and security practices set by the organization. This policy restricts use of the Service type LoadBalancer. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Especially in cloud provider environments, a Service having type LoadBalancer will cause the provider to respond by creating a load balancer somewhere in the customer account. This adds cost and complexity to a deployment. Without restricting this ability, users may easily overrun established budgets and security practices set by the organization. This policy restricts use of the Service type LoadBalancer. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Service" -digest: 2b6dd5c292505f25dd5074052ea247c8febd8686067215033097f045cf8bbe0b -createdAt: "2024-04-17T17:49:00Z" - diff --git a/other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml b/other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml deleted file mode 100644 index 08b7cb558..000000000 --- a/other-cel/restrict-loadbalancer/restrict-loadbalancer.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: no-loadbalancer-service - annotations: - policies.kyverno.io/title: Disallow Service Type LoadBalancer in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Service - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Especially in cloud provider environments, a Service having type LoadBalancer will cause the - provider to respond by creating a load balancer somewhere in the customer account. This adds - cost and complexity to a deployment. Without restricting this ability, users may easily - overrun established budgets and security practices set by the organization. This policy restricts - use of the Service type LoadBalancer. -spec: - validationFailureAction: Audit - background: true - rules: - - name: no-LoadBalancer - match: - any: - - resources: - kinds: - - Service - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.type != 'LoadBalancer'" - message: "Service of type LoadBalancer is not allowed." - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 67192a45e..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-networkpolicy-empty-podselector -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-networkpolicy-empty-podselector.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-networkpolicy-empty-podselector - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: netpol-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: netpol-bad.yaml - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/netpol-bad.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/netpol-bad.yaml deleted file mode 100644 index 4f6ce4c29..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/netpol-bad.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: badnetpol01 -spec: - podSelector: {} - policyTypes: - - Egress - ingress: - - from: - - ipBlock: - cidr: 172.17.0.0/16 - except: - - 172.17.1.0/24 - - namespaceSelector: - matchLabels: - project: myproject - - podSelector: - matchLabels: - role: frontend - ports: - - protocol: TCP - port: 6379 - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/netpol-good.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/netpol-good.yaml deleted file mode 100644 index 0bfd17cf7..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/netpol-good.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny -spec: - podSelector: {} - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: goodnetpol01 -spec: - podSelector: - matchLabels: - foo: bar - app: busybox - see: saw - policyTypes: - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: goodnetpol02 -spec: - podSelector: - matchLabels: - bar: foo - saw: see - app: nginbox - policyTypes: - - Egress - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index f6750f8da..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-networkpolicy-empty-podselector -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 23941358f..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-networkpolicy-empty-podselector -policies: -- ../restrict-networkpolicy-empty-podselector.yaml -resources: -- resource.yaml -results: -- kind: NetworkPolicy - policy: restrict-networkpolicy-empty-podselector - resources: - - badnetworkpolicy - result: fail - rule: empty-podselector -- kind: NetworkPolicy - policy: restrict-networkpolicy-empty-podselector - resources: - - goodnetworkpolicy - result: pass - rule: empty-podselector - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/.kyverno-test/resource.yaml b/other-cel/restrict-networkpolicy-empty-podselector/.kyverno-test/resource.yaml deleted file mode 100644 index 1ea8f1d32..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/.kyverno-test/resource.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: badnetworkpolicy - namespace: qa -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: goodnetworkpolicy - namespace: qa -spec: - podSelector: - matchLabels: - foo: bar - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny - namespace: qa -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml b/other-cel/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml deleted file mode 100644 index e130a25be..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-networkpolicy-empty-podselector-cel -version: 1.0.0 -displayName: Restrict NetworkPolicy with Empty podSelector in CEL expressions -description: >- - By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all network traffic is unencrypted. It is recommended to not use an empty podSelector in order to more closely control the necessary traffic flows. This policy requires that all NetworkPolicies other than that of `default-deny` not use an empty podSelector. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml - ``` -keywords: - - kyverno - - Other - - Multi-Tenancy - - CEL Expressions -readme: | - By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all network traffic is unencrypted. It is recommended to not use an empty podSelector in order to more closely control the necessary traffic flows. This policy requires that all NetworkPolicies other than that of `default-deny` not use an empty podSelector. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other, Multi-Tenancy in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "NetworkPolicy" -digest: c55047723a696dfb02a59fb2d933edabdb4796436c55587588d5a9c40ee08e2c -createdAt: "2024-04-17T17:51:58Z" - diff --git a/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml b/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml deleted file mode 100644 index 2c4605a1f..000000000 --- a/other-cel/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-networkpolicy-empty-podselector - annotations: - policies.kyverno.io/title: Restrict NetworkPolicy with Empty podSelector in CEL expressions - policies.kyverno.io/category: Other, Multi-Tenancy in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: NetworkPolicy - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all - network traffic is unencrypted. It is recommended to not use an empty podSelector in order to - more closely control the necessary traffic flows. This policy requires that all NetworkPolicies - other than that of `default-deny` not use an empty podSelector. -spec: - validationFailureAction: Audit - background: true - rules: - - name: empty-podselector - match: - any: - - resources: - kinds: - - NetworkPolicy - operations: - - CREATE - - UPDATE - exclude: - any: - - resources: - kinds: - - NetworkPolicy - names: - - default-deny - validate: - cel: - expressions: - - expression: "size(object.spec.podSelector) != 0" - message: "NetworkPolicies must not use an empty podSelector." - diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 867cdf3ae..000000000 --- a/other-cel/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-node-affinity -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-node-affinity.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-node-affinity - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 2327e73a0..000000000 --- a/other-cel/restrict-node-affinity/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: foo - operator: In - values: - - bar - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: foo - operator: In - values: - - bar - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: security - operator: In - values: - - S1 - topologyKey: topology.kubernetes.io/zone - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 9a580464e..000000000 --- a/other-cel/restrict-node-affinity/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - affinity: - podAffinity: - prefferedDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: bar - operator: In - values: - - bar - topologyKey: topology.kubernetes.io/zone - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: security - operator: In - values: - - S2 - topologyKey: topology.kubernetes.io/zone - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 91480ac42..000000000 --- a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: foo - operator: In - values: - - bar - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: foo - operator: In - values: - - bar - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 52bce5597..000000000 --- a/other-cel/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - affinity: - podAffinity: - prefferedDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: bar - operator: In - values: - - bar - topologyKey: topology.kubernetes.io/zone - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 37bea35c1..000000000 --- a/other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-node-affinity -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-node-affinity/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-node-affinity/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c48346eda..000000000 --- a/other-cel/restrict-node-affinity/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-node-affinity -policies: -- ../restrict-node-affinity.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: restrict-node-affinity - resources: - - baddeploy01 - result: fail - rule: check-nodeaffinity -- kind: Pod - policy: restrict-node-affinity - resources: - - badpod01 - result: fail - rule: check-nodeaffinity -- kind: Deployment - policy: restrict-node-affinity - resources: - - gooddeploy01 - result: pass - rule: check-nodeaffinity -- kind: Pod - policy: restrict-node-affinity - resources: - - goodpod01 - result: pass - rule: check-nodeaffinity - diff --git a/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml b/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml deleted file mode 100644 index d3f7d1d9f..000000000 --- a/other-cel/restrict-node-affinity/.kyverno-test/resource.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.info.kubernetes.io/city - operator: In - values: - - shanghai - containers: - - name: nginx - image: nginx ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.info.kubernetes.io/city - operator: In - values: - - shanghai - containers: - - name: web - image: asfadafdasdfsasasa:latest - imagePullPolicy: Always - resources: - requests: - memory: "256Mi" - cpu: "500m" - limits: - memory: "256Mi" - cpu: "500m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy01 -spec: - replicas: 1 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - containers: - - name: web - image: asfadafdasdfsasasa:latest - imagePullPolicy: Always - resources: - requests: - memory: "256Mi" - cpu: "500m" - limits: - memory: "256Mi" - cpu: "500m" - diff --git a/other-cel/restrict-node-affinity/artifacthub-pkg.yml b/other-cel/restrict-node-affinity/artifacthub-pkg.yml deleted file mode 100644 index bc581dd8c..000000000 --- a/other-cel/restrict-node-affinity/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-node-affinity-cel -version: 1.0.0 -displayName: Restrict Node Affinity in CEL expressions -description: >- - Pods may use several mechanisms to prefer scheduling on a set of nodes, and nodeAffinity is one of them. nodeAffinity uses expressions to select eligible nodes for scheduling decisions and may override intended placement options by cluster administrators. This policy ensures that nodeAffinity is not used in a Pod spec. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-node-affinity/restrict-node-affinity.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Pods may use several mechanisms to prefer scheduling on a set of nodes, and nodeAffinity is one of them. nodeAffinity uses expressions to select eligible nodes for scheduling decisions and may override intended placement options by cluster administrators. This policy ensures that nodeAffinity is not used in a Pod spec. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 485e28fb5ff6628c443209cdd6425e70619a5a91c8334b13c8b83f6dd1a731d5 -createdAt: "2024-04-18T18:08:24Z" - diff --git a/other-cel/restrict-node-affinity/restrict-node-affinity.yaml b/other-cel/restrict-node-affinity/restrict-node-affinity.yaml deleted file mode 100644 index 91b496240..000000000 --- a/other-cel/restrict-node-affinity/restrict-node-affinity.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-node-affinity - annotations: - policies.kyverno.io/title: Restrict Node Affinity in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Pods may use several mechanisms to prefer scheduling on a set of nodes, - and nodeAffinity is one of them. nodeAffinity uses expressions to select - eligible nodes for scheduling decisions and may override intended placement - options by cluster administrators. This policy ensures that nodeAffinity - is not used in a Pod spec. -spec: - background: true - validationFailureAction: Audit - rules: - - name: check-nodeaffinity - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "!object.spec.?affinity.?nodeAffinity.hasValue()" - message: "Node affinity cannot be used." - diff --git a/other-cel/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 7174c36d8..000000000 --- a/other-cel/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-node-label-creation -spec: - steps: - - name: step-01 - try: - - script: - content: | - kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - - - sleep: - duration: 5s - - name: step-02 - try: - - apply: - file: ../restrict-node-label-creation.yaml - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - script: - content: | - node=$(kubectl get nodes --no-headers | awk 'NR==1{print $1}') - if kubectl label --overwrite nodes $node foo=bar; then echo "Failure: successfully set label foo"; exit 1; else echo "Success: failed to set label foo"; fi - if kubectl label --overwrite nodes $node bar=bar; then echo "Success: set label bar"; else echo "Failed to set label bar"; exit 1; fi - if kubectl label --overwrite nodes $node bar=foo; then echo "Success: modified label bar"; else echo "Failed to modify label bar"; exit 1; fi - if kubectl label nodes $node bar-; then echo "Success: removed label bar"; else echo "Failed to remove label bar"; exit 1; fi - - name: step-04 - try: - - script: - content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' - | kubectl apply -f - diff --git a/other-cel/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index dd8579329..000000000 --- a/other-cel/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-node-label-creation -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/other-cel/restrict-node-label-creation/artifacthub-pkg.yml b/other-cel/restrict-node-label-creation/artifacthub-pkg.yml deleted file mode 100644 index f09eb30bb..000000000 --- a/other-cel/restrict-node-label-creation/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: restrict-node-label-creation-cel -version: 1.0.0 -displayName: restrict node laUel creation in CEL expressions -description: >- - Node labels are critical pieces of metadata upon which many other applications and logic may depend and should not be altered or removed by regular users. Many cloud providers also use Node labels to signal specific functions to applications. This policy prevents setting of a new label called `foo` on cluster Nodes. Use of this policy requires removal of the Node resource filter in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Node labels are critical pieces of metadata upon which many other applications and logic may depend and should not be altered or removed by regular users. Many cloud providers also use Node labels to signal specific functions to applications. This policy prevents setting of a new label called `foo` on cluster Nodes. Use of this policy requires removal of the Node resource filter in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Node, Label" -digest: f34cb899d81dd8927d55060f361d06d3b52d86b6bb319d9fb40a12fb7c6e46aa -createdAt: "2024-05-20T03:52:11Z" diff --git a/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml b/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml deleted file mode 100644 index 9f6472056..000000000 --- a/other-cel/restrict-node-label-creation/restrict-node-label-creation.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-node-label-creation - annotations: - policies.kyverno.io/title: Restrict node label creation in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/subject: Node, Label - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Node labels are critical pieces of metadata upon which many other applications and - logic may depend and should not be altered or removed by regular users. Many cloud - providers also use Node labels to signal specific functions to applications. - This policy prevents setting of a new label called `foo` on - cluster Nodes. Use of this policy requires removal of the Node resource filter - in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy - requires, at minimum, one of the following versions of Kubernetes: - v1.18.18, v1.19.10, v1.20.6, or v1.21.0. -spec: - validationFailureAction: Enforce - background: false - rules: - - name: prevent-label-set - match: - any: - - resources: - kinds: - - Node - celPreconditions: - - name: "operation-should-be-update" - expression: "request.operation == 'UPDATE'" - - name: "has-foo-label" - expression: "object.metadata.?labels.?foo.hasValue()" - validate: - cel: - expressions: - - expression: "false" - message: "Setting the `foo` label on a Node is not allowed." - diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index d8398690b..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-pod-controller-serviceaccount-updates -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-pod-controller-serviceaccount-updates.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-pod-controller-serviceaccount-updates - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: sa-01.yaml - - apply: - file: sa-02.yaml - - apply: - file: deployment.yaml - - apply: - file: cronjob.yaml - - name: step-03 - try: - - apply: - expect: - - check: - ($error != null): true - file: cronjob-bad-update.yaml - - apply: - expect: - - check: - ($error != null): true - file: deploy-bad-update.yaml - - apply: - file: cronjob-good-update.yaml - - apply: - file: deploy-good-update.yaml diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml deleted file mode 100644 index 80a45123c..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: cronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - serviceAccountName: serviceaccount02 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure \ No newline at end of file diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-good-update.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-good-update.yaml deleted file mode 100644 index 004731f65..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-good-update.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: cronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never \ No newline at end of file diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml deleted file mode 100755 index 2a3a3a751..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: cronjob01 -spec: - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - restartPolicy: OnFailure - serviceAccountName: serviceaccount01 - schedule: '* * * * *' diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml deleted file mode 100644 index 14a0fe7a6..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: deployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - serviceAccountName: serviceaccount02 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-good-update.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-good-update.yaml deleted file mode 100644 index f100a5052..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-good-update.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: deployment01 -spec: - template: - spec: - restartPolicy: Always \ No newline at end of file diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml deleted file mode 100755 index 18bd07022..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deployment.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: deployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.35 - name: busybox - serviceAccountName: serviceaccount01 diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/ns.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/ns.yaml deleted file mode 100755 index e3688b96e..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: restrict-sa-ns diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 9f02c6ee0..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-pod-controller-serviceaccount-updates -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-01.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-01.yaml deleted file mode 100755 index 71e72fad5..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-01.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: serviceaccount01 - namespace: restrict-sa-ns diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-02.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-02.yaml deleted file mode 100755 index 042c339a8..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-02.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: serviceaccount02 - namespace: restrict-sa-ns diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml b/other-cel/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml deleted file mode 100644 index 94461cb0c..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: restrict-pod-controller-serviceaccount-updates-cel -version: 1.0.0 -displayName: Restrict Pod Controller ServiceAccount Updates in CEL expressions -description: >- - ServiceAccounts which have the ability to edit/patch workloads which they created may potentially use that privilege to update to a different ServiceAccount with higher privileges. This policy, intended to be run in `enforce` mode, blocks updates to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods directly for this field are not possible as it is immutable once set. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - ServiceAccounts which have the ability to edit/patch workloads which they created may potentially use that privilege to update to a different ServiceAccount with higher privileges. This policy, intended to be run in `enforce` mode, blocks updates to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods directly for this field are not possible as it is immutable once set. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: a3447fb207a7640b2744570dbe01cc0816128a7b7e0776ac2febf6c5a4db0e77 -createdAt: "2024-05-20T04:20:28Z" diff --git a/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml b/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml deleted file mode 100644 index 81da09843..000000000 --- a/other-cel/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-pod-controller-serviceaccount-updates - annotations: - policies.kyverno.io/title: Restrict Pod Controller ServiceAccount Updates in CEL Expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: Medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - ServiceAccounts which have the ability to edit/patch workloads which they created - may potentially use that privilege to update to a different ServiceAccount with higher - privileges. This policy, intended to be run in `enforce` mode, blocks updates - to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods - directly for this field are not possible as it is immutable once set. -spec: - validationFailureAction: Audit - background: true - rules: - - name: block-serviceaccount-updates - match: - any: - - resources: - kinds: - - DaemonSet - - Deployment - - Job - - StatefulSet - - ReplicaSet - - ReplicationController - celPreconditions: - - name: "operation-should-be-update" - expression: "request.operation == 'UPDATE'" - validate: - cel: - expressions: - - expression: >- - object.spec.template.spec.?serviceAccountName.orValue('empty') == oldObject.spec.template.spec.?serviceAccountName.orValue('empty') - message: >- - The serviceAccountName field may not be changed once created. - - name: block-serviceaccount-updates-cronjob - match: - any: - - resources: - kinds: - - CronJob - celPreconditions: - - name: "operation-should-be-update" - expression: "request.operation == 'UPDATE'" - validate: - cel: - expressions: - - expression: >- - object.spec.jobTemplate.spec.template.spec.?serviceAccountName.orValue('empty') == oldObject.spec.jobTemplate.spec.template.spec.?serviceAccountName.orValue('empty') - message: >- - The serviceAccountName field may not be changed once created. - diff --git a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/bad-sa.yaml b/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/bad-sa.yaml deleted file mode 100644 index 89880f707..000000000 --- a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/bad-sa.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bad-sa-01 -automountServiceAccountToken: true ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: 2021-07-07T22:02:39Z - name: bad-sa-02 - namespace: default - uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 -automountServiceAccountToken: true ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: | - {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"example-automated-thing","namespace":"examplens"}} - creationTimestamp: "2019-07-21T07:07:07Z" - name: bad-sa-03 - namespace: default - resourceVersion: "777" - selfLink: /api/v1/namespaces/examplens/serviceaccounts/example-automated-thing - uid: f23fd170-66f2-4697-b049-e1e266b7f835 -automountServiceAccountToken: true - diff --git a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index a3a4c4c86..000000000 --- a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-sa-automount-sa-token -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-sa-automount-sa-token.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-sa-automount-sa-token - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-sa.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-sa.yaml - diff --git a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/good-sa.yaml b/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/good-sa.yaml deleted file mode 100644 index 953ae1484..000000000 --- a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/good-sa.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: good-sa - namespace: default -automountServiceAccountToken: false ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: 2021-07-07T22:02:39Z - name: good-sa-02 - namespace: default - uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6 -automountServiceAccountToken: false - diff --git a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 9216f115f..000000000 --- a/other-cel/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-sa-automount-sa-token -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-sa-automount-sa-token/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-sa-automount-sa-token/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 29e8dd191..000000000 --- a/other-cel/restrict-sa-automount-sa-token/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-sa-automount-sa-token -policies: -- ../restrict-sa-automount-sa-token.yaml -resources: -- resource.yaml -results: -- kind: ServiceAccount - policy: restrict-sa-automount-sa-token - resources: - - bad-svc - result: fail - rule: validate-sa-automountServiceAccountToken -- kind: ServiceAccount - policy: restrict-sa-automount-sa-token - resources: - - good-svc - result: pass - rule: validate-sa-automountServiceAccountToken - diff --git a/other-cel/restrict-sa-automount-sa-token/.kyverno-test/resource.yaml b/other-cel/restrict-sa-automount-sa-token/.kyverno-test/resource.yaml deleted file mode 100644 index 4952d7a9f..000000000 --- a/other-cel/restrict-sa-automount-sa-token/.kyverno-test/resource.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: good-svc -automountServiceAccountToken: false ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bad-svc -automountServiceAccountToken: true - diff --git a/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml b/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml deleted file mode 100644 index 0abf531bb..000000000 --- a/other-cel/restrict-sa-automount-sa-token/artifacthub-pkg.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: restrict-sa-automount-sa-token-cel -version: 1.0.0 -displayName: Restrict Auto-Mount of Service Account Tokens in Service Account in CEL expressions -description: >- - Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. - The ServiceAccount may be assigned roles allowing Pods to access API resources. - Blocking this ability is an extension of the least privilege best practice and should - be followed if Pods do not need to speak to the API server to function. - This policy ensures that mounting of these ServiceAccount tokens is blocked. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. - The ServiceAccount may be assigned roles allowing Pods to access API resources. - Blocking this ability is an extension of the least privilege best practice and should - be followed if Pods do not need to speak to the API server to function. - This policy ensures that mounting of these ServiceAccount tokens is blocked. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ServiceAccount" -digest: 5798ac8ef2989b7d9aa42c607f87b86c876bb7729afb5ba191b995f2ae3ffd99 -createdAt: "2024-04-18T18:11:04Z" - diff --git a/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml b/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml deleted file mode 100644 index 8e490d262..000000000 --- a/other-cel/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-sa-automount-sa-token - annotations: - policies.kyverno.io/title: Restrict Auto-Mount of Service Account Tokens in Service Account in CEL expressions - policies.kyverno.io/category: Security in CEL - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Secret,ServiceAccount - policies.kyverno.io/description: >- - Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. - The ServiceAccount may be assigned roles allowing Pods to access API resources. - Blocking this ability is an extension of the least privilege best practice and should - be followed if Pods do not need to speak to the API server to function. - This policy ensures that mounting of these ServiceAccount tokens is blocked. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-sa-automountServiceAccountToken - match: - any: - - resources: - kinds: - - ServiceAccount - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.?automountServiceAccountToken.orValue(true) == false" - message: "ServiceAccounts must set automountServiceAccountToken to false." - diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 221a87950..000000000 --- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-secret-role-verbs -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-secret-role-verbs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-secret-role-verbs - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: cr-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cr-bad.yaml - - apply: - file: role-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: role-bad.yaml - diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/cr-bad.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/cr-bad.yaml deleted file mode 100644 index 0e8c5ae8a..000000000 --- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/cr-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["update", "list", "create"] - diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/cr-good.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/cr-good.yaml deleted file mode 100644 index 35f80ef44..000000000 --- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/cr-good.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: omitted-rules ---- diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 31cc263e5..000000000 --- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-secret-role-verbs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/role-bad.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/role-bad.yaml deleted file mode 100644 index fbfc92ad8..000000000 --- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/role-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["update", "list", "create"] - diff --git a/other-cel/restrict-secret-role-verbs/.chainsaw-test/role-good.yaml b/other-cel/restrict-secret-role-verbs/.chainsaw-test/role-good.yaml deleted file mode 100644 index c252062bb..000000000 --- a/other-cel/restrict-secret-role-verbs/.chainsaw-test/role-good.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr02 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: omitted-rules ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: empty-rules -rules: ---- diff --git a/other-cel/restrict-secret-role-verbs/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-secret-role-verbs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 6373017eb..000000000 --- a/other-cel/restrict-secret-role-verbs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-secret-role-verbs -policies: -- ../restrict-secret-role-verbs.yaml -resources: -- resource.yaml -results: -- kind: ClusterRole - policy: restrict-secret-role-verbs - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail - rule: secret-verbs -- kind: ClusterRole - policy: restrict-secret-role-verbs - resources: - - goodcr01 - - goodcr02 - - goodcr03 - - default-rules - result: pass - rule: secret-verbs -- kind: Role - policy: restrict-secret-role-verbs - resources: - - badrole01 - - badrole02 - - badrole03 - result: fail - rule: secret-verbs -- kind: Role - policy: restrict-secret-role-verbs - resources: - - goodrole01 - - goodrole02 - - goodrole03 - - default-rules - result: pass - rule: secret-verbs - diff --git a/other-cel/restrict-secret-role-verbs/.kyverno-test/resource.yaml b/other-cel/restrict-secret-role-verbs/.kyverno-test/resource.yaml deleted file mode 100644 index b4cc6f887..000000000 --- a/other-cel/restrict-secret-role-verbs/.kyverno-test/resource.yaml +++ /dev/null @@ -1,143 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["update", "list", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole01 -rules: -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["update", "list", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole02 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole03 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: default-rules -rules: null ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: default-rules -rules: null ---- - diff --git a/other-cel/restrict-secret-role-verbs/artifacthub-pkg.yml b/other-cel/restrict-secret-role-verbs/artifacthub-pkg.yml deleted file mode 100644 index 36daa4920..000000000 --- a/other-cel/restrict-secret-role-verbs/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-secret-role-verbs-cel -version: 1.0.0 -displayName: Restrict Secret Verbs in Roles in CEL expressions -description: >- - The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively allows Secrets to be read which may expose sensitive information. This policy prevents a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to fully implement this control, it is recommended to pair this policy with another which also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets or when also using a wildcard in the base API group. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml - ``` -keywords: - - kyverno - - Security - - CEL Expressions -readme: | - The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively allows Secrets to be read which may expose sensitive information. This policy prevents a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to fully implement this control, it is recommended to pair this policy with another which also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets or when also using a wildcard in the base API group. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Role, ClusterRole, RBAC" -digest: b3da9edeb06922d1f3c79a86b009b7bb3f8f5970791fcc839569fd238dfda97b -createdAt: "2024-04-19T16:41:34Z" - diff --git a/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml b/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml deleted file mode 100644 index 173e950a9..000000000 --- a/other-cel/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-secret-role-verbs - annotations: - policies.kyverno.io/title: Restrict Secret Verbs in Roles in CEL expressions - policies.kyverno.io/category: Security in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - The verbs `get`, `list`, and `watch` in a Role or ClusterRole, when paired with the Secrets resource, effectively - allows Secrets to be read which may expose sensitive information. This policy prevents - a Role or ClusterRole from using these verbs in tandem with Secret resources. In order to - fully implement this control, it is recommended to pair this policy with another which - also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets - or when also using a wildcard in the base API group. -spec: - validationFailureAction: Audit - background: true - rules: - - name: secret-verbs - match: - any: - - resources: - kinds: - - Role - - ClusterRole - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: forbiddenVerbs - expression: "['get','list','watch']" - expressions: - - expression: >- - object.rules == null || - !object.rules.exists(rule, - 'secrets' in rule.resources && rule.verbs.exists(verb, verb in variables.forbiddenVerbs)) - message: "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden." - diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 7e4b9719a..000000000 --- a/other-cel/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-secrets-by-name -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../restrict-secrets-by-name.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-secrets-by-name - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 4d7d44e79..000000000 --- a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: top-secret - key: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_FOO - value: "bar" - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: top-secret - key: foo - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: safe-secret - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: top-secret - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: not-secret-volume - secret: - secretName: safe-secret - - name: secret-volume - secret: - secretName: top-secret - diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 41dd30666..000000000 --- a/other-cel/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_FOO - value: "bar" - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: safe-secret - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: safe-secret - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty-volume - emptyDir: {} - - name: secret-volume - secret: - secretName: safe-secret - diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index abba08fa6..000000000 --- a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,122 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: safe-secret - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_FOO - value: "bar" - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: top-secret - key: foo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: secret-volume - secret: - secretName: top-secret ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: top-secret - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_FOO - value: "bar" - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty-volume - emptyDir: {} - - name: secret-volume - secret: - secretName: top-secret - restartPolicy: OnFailure - diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index c420fd89b..000000000 --- a/other-cel/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,122 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: safe-secret - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_FOO - value: "bar" - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: secret-volume - secret: - secretName: safe-secret ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - envFrom: - - secretRef: - name: safe-secret - - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - env: - - name: ENV_FOO - value: "bar" - - name: ENV_SECRET - valueFrom: - secretKeyRef: - name: safe-secret - key: foo - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty-volume - emptyDir: {} - - name: secret-volume - secret: - secretName: safe-secret - restartPolicy: OnFailure - diff --git a/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 212ceb7d6..000000000 --- a/other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-secrets-by-name -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-secrets-by-name/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-secrets-by-name/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 589fe0f88..000000000 --- a/other-cel/restrict-secrets-by-name/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: test-secrets-policy -policies: -- ../restrict-secrets-by-name.yaml -resources: -- resource.yaml -results: -- kind: Deployment - policy: restrict-secrets-by-name - resources: - - bad-deploy-env - result: fail - rule: safe-secrets-from-env -- kind: Pod - policy: restrict-secrets-by-name - resources: - - bad-pod-env - result: fail - rule: safe-secrets-from-env -- kind: Pod - policy: restrict-secrets-by-name - resources: - - good-pod-all - result: pass - rule: safe-secrets-from-env -- kind: Deployment - policy: restrict-secrets-by-name - resources: - - bad-deploy-envfrom - result: fail - rule: safe-secrets-from-envfrom -- kind: Pod - policy: restrict-secrets-by-name - resources: - - bad-pod-envfrom - result: fail - rule: safe-secrets-from-envfrom -- kind: Pod - policy: restrict-secrets-by-name - resources: - - good-pod-all - result: pass - rule: safe-secrets-from-envfrom -- kind: Deployment - policy: restrict-secrets-by-name - resources: - - bad-deploy-vol - result: fail - rule: safe-secrets-from-volumes -- kind: Pod - policy: restrict-secrets-by-name - resources: - - bad-pod-vol - result: fail - rule: safe-secrets-from-volumes -- kind: Pod - policy: restrict-secrets-by-name - resources: - - good-pod-all - result: pass - rule: safe-secrets-from-volumes - diff --git a/other-cel/restrict-secrets-by-name/.kyverno-test/resource.yaml b/other-cel/restrict-secrets-by-name/.kyverno-test/resource.yaml deleted file mode 100644 index b5284b320..000000000 --- a/other-cel/restrict-secrets-by-name/.kyverno-test/resource.yaml +++ /dev/null @@ -1,182 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: good-pod-all - labels: - name: kyvernopod -spec: - automountServiceAccountToken: false - initContainers: - - name: initbusybox-harbor - image: busybox:1.28 - command: ["sleep", "9999"] - env: - - name: initsomething - valueFrom: - secretKeyRef: - name: safe-foo - key: bar - envFrom: - - secretRef: - name: safe-secured - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - env: - - name: something - valueFrom: - secretKeyRef: - name: safe-foo - key: bar - - name: somethingelse - valueFrom: - secretKeyRef: - name: safe-umbru - key: bissel - envFrom: - - secretRef: - name: safe-secured - volumes: - - name: supersecret - secret: - secretName: safe-testing - - name: vol1 - secret: - secretName: safe-secret - - name: vol2 - secret: - secretName: safe-moresecret ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-env - labels: - name: kyvernopod -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - env: - - name: something - valueFrom: - secretKeyRef: - name: bad-foo - key: bar ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-envfrom - labels: - name: kyvernopod -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - envFrom: - - secretRef: - name: bad-secured ---- -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod-vol - labels: - name: kyvernopod -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - volumes: - - name: mysecret - secret: - secretName: boo-secret ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bad-deploy-env - labels: - blog: forward -spec: - replicas: 1 - selector: - matchLabels: - blog: forward - template: - metadata: - labels: - blog: forward - spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - env: - - name: something - valueFrom: - secretKeyRef: - name: bad-foo - key: bar ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bad-deploy-envfrom - labels: - blog: forward -spec: - replicas: 1 - selector: - matchLabels: - blog: forward - template: - metadata: - labels: - blog: forward - spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - envFrom: - - secretRef: - name: bad-secured ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bad-deploy-vol - labels: - blog: forward -spec: - replicas: 1 - selector: - matchLabels: - blog: forward - template: - metadata: - labels: - blog: forward - spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.28 - command: ["sleep", "9999"] - volumes: - - name: mysecret - secret: - secretName: boo-secret - diff --git a/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml b/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml deleted file mode 100644 index a8670cea7..000000000 --- a/other-cel/restrict-secrets-by-name/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-secrets-by-name-cel -version: 1.0.0 -displayName: Restrict Secrets by Name in CEL expressions -description: >- - Secrets often contain sensitive information and their access should be carefully controlled. Although Kubernetes RBAC can be effective at restricting them in several ways, it lacks the ability to use wildcards in resource names. This policy ensures that only Secrets beginning with the name `safe-` can be consumed by Pods. In order to work effectively, this policy needs to be paired with a separate policy or rule to require `automountServiceAccountToken=false` since this would otherwise result in a Secret being mounted. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Secrets often contain sensitive information and their access should be carefully controlled. Although Kubernetes RBAC can be effective at restricting them in several ways, it lacks the ability to use wildcards in resource names. This policy ensures that only Secrets beginning with the name `safe-` can be consumed by Pods. In order to work effectively, this policy needs to be paired with a separate policy or rule to require `automountServiceAccountToken=false` since this would otherwise result in a Secret being mounted. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod, Secret" -digest: 2095949d1b1569b58d0848ee30f97f6b82b283d12c7e8558f1a2fd891a114f80 -createdAt: "2024-04-20T16:40:34Z" - diff --git a/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml b/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml deleted file mode 100644 index eb1d5b808..000000000 --- a/other-cel/restrict-secrets-by-name/restrict-secrets-by-name.yaml +++ /dev/null @@ -1,79 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-secrets-by-name - annotations: - policies.kyverno.io/title: Restrict Secrets by Name in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Secrets often contain sensitive information and their access should be carefully controlled. - Although Kubernetes RBAC can be effective at restricting them in several ways, - it lacks the ability to use wildcards in resource names. This policy ensures - that only Secrets beginning with the name `safe-` can be consumed by Pods. - In order to work effectively, this policy needs to be paired with a separate policy - or rule to require `automountServiceAccountToken=false` since this would otherwise - result in a Secret being mounted. -spec: - background: false - validationFailureAction: Audit - rules: - - name: safe-secrets-from-env - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: >- - variables.allContainers.all(container, - container.?env.orValue([]).all(env, - env.?valueFrom.?secretKeyRef.?name.orValue('safe-').startsWith("safe-"))) - message: "Only Secrets beginning with `safe-` may be consumed in env statements." - - name: safe-secrets-from-envfrom - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - expressions: - - expression: >- - variables.allContainers.all(container, - container.?envFrom.orValue([]).all(env, - env.?secretRef.?name.orValue('safe-').startsWith("safe-"))) - message: "Only Secrets beginning with `safe-` may be consumed in envFrom statements." - - name: safe-secrets-from-volumes - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?volumes.orValue([]).all(volume, - volume.?secret.?secretName.orValue('safe-').startsWith("safe-")) - message: "Only Secrets beginning with `safe-` may be consumed in volumes." - diff --git a/other-cel/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 5a47d722b..000000000 --- a/other-cel/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-service-port-range -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-service-port-range.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-service-port-range - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: svc-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: svc-bad.yaml - diff --git a/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 2c94a352f..000000000 --- a/other-cel/restrict-service-port-range/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-service-port-range -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-service-port-range/.chainsaw-test/svc-bad.yaml b/other-cel/restrict-service-port-range/.chainsaw-test/svc-bad.yaml deleted file mode 100644 index 13753a310..000000000 --- a/other-cel/restrict-service-port-range/.chainsaw-test/svc-bad.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badsvc01 -spec: - selector: - app: nginx - ports: - - name: foo-port - port: 80 - targetPort: 80 - nodePort: 30001 - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - name: badsvc02 -spec: - selector: - app: nginx - ports: - - name: foo-port - port: 32111 - targetPort: 32111 - nodePort: 32333 - - name: bar-port - port: 443 - targetPort: 443 - nodePort: 31234 - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - name: badsvc03 -spec: - selector: - app: nginx - ports: - - name: foo-port - port: 80 - targetPort: 80 - nodePort: 30001 - - name: bar-port - port: 32999 - targetPort: 32999 - nodePort: 30009 - type: NodePort - diff --git a/other-cel/restrict-service-port-range/.chainsaw-test/svc-good.yaml b/other-cel/restrict-service-port-range/.chainsaw-test/svc-good.yaml deleted file mode 100644 index ab42b93a2..000000000 --- a/other-cel/restrict-service-port-range/.chainsaw-test/svc-good.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodsvc01 -spec: - selector: - app: nginx - ports: - - name: port-a - port: 32123 - targetPort: 32123 - nodePort: 31000 - - name: port-b - port: 32444 - targetPort: 32444 - nodePort: 30001 - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - name: goodsvc02 -spec: - selector: - app: nginx - ports: - - name: foo-port - port: 32999 - targetPort: 32999 - nodePort: 30009 - type: NodePort - diff --git a/other-cel/restrict-service-port-range/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-service-port-range/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 844ca78ff..000000000 --- a/other-cel/restrict-service-port-range/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-service-port-range -policies: -- ../restrict-service-port-range.yaml -resources: -- resource.yaml -results: -- kind: Service - policy: restrict-service-port-range - resources: - - bad-service - result: fail - rule: restrict-port-range -- kind: Service - policy: restrict-service-port-range - resources: - - good-service - result: pass - rule: restrict-port-range - diff --git a/other-cel/restrict-service-port-range/.kyverno-test/resource.yaml b/other-cel/restrict-service-port-range/.kyverno-test/resource.yaml deleted file mode 100644 index 96d18f2fa..000000000 --- a/other-cel/restrict-service-port-range/.kyverno-test/resource.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: bad-service -spec: - type: NodePort - selector: - app: MyApp - ports: - - port: 80 - targetPort: 80 - nodePort: 30007 ---- -apiVersion: v1 -kind: Service -metadata: - name: good-service -spec: - type: NodePort - selector: - app: MyApp - ports: - - port: 32000 - targetPort: 80 - nodePort: 32000 - diff --git a/other-cel/restrict-service-port-range/artifacthub-pkg.yml b/other-cel/restrict-service-port-range/artifacthub-pkg.yml deleted file mode 100644 index 9869c5aab..000000000 --- a/other-cel/restrict-service-port-range/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-service-port-range-cel -version: 1.0.0 -displayName: Restrict Service Port Range in CEL expressions -description: >- - Services which are allowed to expose any port number may be able to impact other applications running on the Node which require them, or may make specifying security policy externally more challenging. This policy enforces that only the port range 32000 to 33000 may be used for Service resources. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-service-port-range/restrict-service-port-range.yaml - ``` -keywords: - - kyverno - - Other - - CEL Expressions -readme: | - Services which are allowed to expose any port number may be able to impact other applications running on the Node which require them, or may make specifying security policy externally more challenging. This policy enforces that only the port range 32000 to 33000 may be used for Service resources. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Service" -digest: 76e5ca9f8c86c153ff8c31bf8dfe55ad665e0c6bbe3546c9e36edf515fee6965 -createdAt: "2024-04-19T16:44:39Z" - diff --git a/other-cel/restrict-service-port-range/restrict-service-port-range.yaml b/other-cel/restrict-service-port-range/restrict-service-port-range.yaml deleted file mode 100644 index a037ed803..000000000 --- a/other-cel/restrict-service-port-range/restrict-service-port-range.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-service-port-range - annotations: - policies.kyverno.io/title: Restrict Service Port Range in CEL expressions - policies.kyverno.io/category: Other in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Service - policies.kyverno.io/description: >- - Services which are allowed to expose any port number may be able - to impact other applications running on the Node which require them, - or may make specifying security policy externally more challenging. - This policy enforces that only the port range 32000 to 33000 may - be used for Service resources. -spec: - validationFailureAction: Audit - rules: - - name: restrict-port-range - match: - any: - - resources: - kinds: - - Service - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.ports.all(p, p.port >= 32000 && p.port <= 33000)" - message: Ports must be between 32000-33000 - diff --git a/other-cel/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 27c1d0430..000000000 --- a/other-cel/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-storageclass -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-storageclass.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-storageclass - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: sc-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: sc-bad.yaml - diff --git a/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 16e3af214..000000000 --- a/other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-storageclass -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-storageclass/.chainsaw-test/sc-bad.yaml b/other-cel/restrict-storageclass/.chainsaw-test/sc-bad.yaml deleted file mode 100644 index 981083d05..000000000 --- a/other-cel/restrict-storageclass/.chainsaw-test/sc-bad.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: badsc01 -provisioner: kubernetes.io/aws-ebs -parameters: - type: gp2 -reclaimPolicy: Retain -allowVolumeExpansion: true -mountOptions: - - debug -volumeBindingMode: Immediate - diff --git a/other-cel/restrict-storageclass/.chainsaw-test/sc-good.yaml b/other-cel/restrict-storageclass/.chainsaw-test/sc-good.yaml deleted file mode 100644 index c4061a322..000000000 --- a/other-cel/restrict-storageclass/.chainsaw-test/sc-good.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: goodsc01 -provisioner: kubernetes.io/aws-ebs -parameters: - type: gp2 -reclaimPolicy: Delete -allowVolumeExpansion: true -mountOptions: - - debug -volumeBindingMode: Immediate ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: goodsc02 -provisioner: kubernetes.io/aws-ebs -parameters: - type: gp2 -allowVolumeExpansion: true -mountOptions: - - debug -volumeBindingMode: Immediate - diff --git a/other-cel/restrict-storageclass/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-storageclass/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index fa7967a6d..000000000 --- a/other-cel/restrict-storageclass/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-storageclass -policies: -- ../restrict-storageclass.yaml -resources: -- resource.yaml -results: -- kind: StorageClass - policy: restrict-storageclass - resources: - - badstorageclass - result: fail - rule: storageclass-delete -- kind: StorageClass - policy: restrict-storageclass - resources: - - goodstorageclass - result: pass - rule: storageclass-delete - diff --git a/other-cel/restrict-storageclass/.kyverno-test/resource.yaml b/other-cel/restrict-storageclass/.kyverno-test/resource.yaml deleted file mode 100644 index a58d4427f..000000000 --- a/other-cel/restrict-storageclass/.kyverno-test/resource.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: badstorageclass -provisioner: kubernetes.io/aws-ebs -parameters: - type: gp2 -reclaimPolicy: Retain -allowVolumeExpansion: true -mountOptions: - - debug -volumeBindingMode: Immediate ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: goodstorageclass -provisioner: kubernetes.io/aws-ebs -parameters: - type: gp2 -reclaimPolicy: Delete -allowVolumeExpansion: true -mountOptions: - - debug -volumeBindingMode: Immediate - diff --git a/other-cel/restrict-storageclass/artifacthub-pkg.yml b/other-cel/restrict-storageclass/artifacthub-pkg.yml deleted file mode 100644 index 3444d3c6a..000000000 --- a/other-cel/restrict-storageclass/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-storageclass-cel -version: 1.0.0 -displayName: Restrict StorageClass in CEL expressions -description: >- - StorageClasses allow description of custom "classes" of storage offered by the cluster, based on quality-of-service levels, backup policies, or custom policies determined by the cluster administrators. For shared StorageClasses in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure a PersistentVolume cannot be reused across Namespaces. This policy requires StorageClasses set a reclaimPolicy of `Delete`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-storageclass/restrict-storageclass.yaml - ``` -keywords: - - kyverno - - Other - - Multi-Tenancy - - CEL Expressions -readme: | - StorageClasses allow description of custom "classes" of storage offered by the cluster, based on quality-of-service levels, backup policies, or custom policies determined by the cluster administrators. For shared StorageClasses in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure a PersistentVolume cannot be reused across Namespaces. This policy requires StorageClasses set a reclaimPolicy of `Delete`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other, Multi-Tenancy in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "StorageClass" -digest: 1056e484a63b688c416b32d7141a6ab9bd4d46224e9836e96ea80a584a1b0ba4 -createdAt: "2024-04-20T16:43:16Z" - diff --git a/other-cel/restrict-storageclass/restrict-storageclass.yaml b/other-cel/restrict-storageclass/restrict-storageclass.yaml deleted file mode 100644 index 0913a76fc..000000000 --- a/other-cel/restrict-storageclass/restrict-storageclass.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-storageclass - annotations: - policies.kyverno.io/title: Restrict StorageClass in CEL expressions - policies.kyverno.io/category: Other, Multi-Tenancy in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: StorageClass - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - StorageClasses allow description of custom "classes" of storage offered - by the cluster, based on quality-of-service levels, backup policies, or - custom policies determined by the cluster administrators. For shared StorageClasses - in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure - a PersistentVolume cannot be reused across Namespaces. This policy requires - StorageClasses set a reclaimPolicy of `Delete`. -spec: - validationFailureAction: Audit - background: true - rules: - - name: storageclass-delete - match: - any: - - resources: - kinds: - - StorageClass - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.reclaimPolicy == 'Delete'" - message: "StorageClass must define a reclaimPolicy of Delete." - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 8c0dcfec6..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-usergroup-fsgroup-id -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-usergroup-fsgroup-id.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: validate-userid-groupid-fsgroup - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index d830022bd..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - securityContext: - runAsUser: 2000 - runAsGroup: 1000 - fsGroup: 3000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - securityContext: - fsGroup: 2000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - securityContext: - runAsUser: 1000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - securityContext: - runAsGroup: 4000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml deleted file mode 100644 index df7922daa..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index f6a55e57d..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - securityContext: - runAsUser: 2000 - runAsGroup: 1000 - fsGroup: 3000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - securityContext: - runAsUser: 2000 - runAsGroup: 1000 - fsGroup: 3000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 356b0fef8..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index f8a123fe9..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-userid-groupid-fsgroup -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 2405d4be0..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: validate-userid-groupid-fsgroup -policies: -- ../restrict-usergroup-fsgroup-id.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: validate-userid-groupid-fsgroup - resources: - - goodpod - result: pass - rule: validate-userid-groupid-fsgroup -- kind: Pod - policy: validate-userid-groupid-fsgroup - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - result: fail - rule: validate-userid-groupid-fsgroup - diff --git a/other-cel/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml b/other-cel/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml deleted file mode 100644 index e8753cec7..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod - labels: - app: myapp -spec: - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 - containers: - - name: busy - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - securityContext: - runAsUser: 2000 - runAsGroup: 3000 - fsGroup: 2000 - containers: - - name: busy - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 1000 - containers: - - name: busy - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - securityContext: - runAsUser: 1000 - runAsGroup: 4000 - fsGroup: 1000 - containers: - - name: busy - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 - labels: - app: myapp -spec: - securityContext: {} - containers: - - name: busy - image: busybox - diff --git a/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml b/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml deleted file mode 100644 index 03b1362de..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: restrict-usergroup-fsgroup-id-cel -version: 1.0.0 -displayName: Validate User ID, Group ID, and FS Group in CEL expressions -description: >- - All processes inside a Pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified to make sure any file created in the volume will have the specified groupID. This policy validates that these fields are set to the defined values. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - All processes inside a Pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified to make sure any file created in the volume will have the specified groupID. This policy validates that these fields are set to the defined values. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 65d0858b1b9196a038391e89afc535bf696c5a31514e6a830e0eeeb7626a1116 -createdAt: "2024-04-20T16:57:00Z" - diff --git a/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml b/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml deleted file mode 100644 index 6473646f2..000000000 --- a/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-userid-groupid-fsgroup - annotations: - policies.kyverno.io/title: Validate User ID, Group ID, and FS Group in CEL expressions - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - All processes inside a Pod can be made to run with specific user and groupID - by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified - to make sure any file created in the volume will have the specified groupID. - This policy validates that these fields are set to the defined values. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-userid-groupid-fsgroup - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.?securityContext.?runAsUser.orValue(1) == 1000" - message: "User ID should be 1000." - - expression: "object.spec.?securityContext.?runAsGroup.orValue(1) == 3000" - message: "Group ID should be 3000." - - expression: "object.spec.?securityContext.?fsGroup.orValue(1) == 2000" - message: "fs Group should be 2000." - diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index d2ec23858..000000000 --- a/other-cel/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-wildcard-resources -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-wildcard-resources.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-wildcard-resources - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: cr-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cr-bad.yaml - - apply: - file: role-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: role-bad.yaml - diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/cr-bad.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/cr-bad.yaml deleted file mode 100644 index f0e35e1f6..000000000 --- a/other-cel/restrict-wildcard-resources/.chainsaw-test/cr-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces", "*", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["update", "list", "create"] - diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/cr-good.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/cr-good.yaml deleted file mode 100644 index 6c87a785a..000000000 --- a/other-cel/restrict-wildcard-resources/.chainsaw-test/cr-good.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr04 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr05 -rules: -- apiGroups: ["*"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: omitted-rules ---- diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index c5c916747..000000000 --- a/other-cel/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-wildcard-resources -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/role-bad.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/role-bad.yaml deleted file mode 100644 index 88d7bdd0d..000000000 --- a/other-cel/restrict-wildcard-resources/.chainsaw-test/role-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces", "*", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["update", "list", "create"] - diff --git a/other-cel/restrict-wildcard-resources/.chainsaw-test/role-good.yaml b/other-cel/restrict-wildcard-resources/.chainsaw-test/role-good.yaml deleted file mode 100644 index 0310612f0..000000000 --- a/other-cel/restrict-wildcard-resources/.chainsaw-test/role-good.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr04 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr05 -rules: -- apiGroups: ["*"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: omitted-rules ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: empty-rules -rules: ---- diff --git a/other-cel/restrict-wildcard-resources/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-wildcard-resources/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 810f8497d..000000000 --- a/other-cel/restrict-wildcard-resources/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-wildcard-resources -policies: -- ../restrict-wildcard-resources.yaml -resources: -- resource.yaml -results: -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: ClusterRole - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: ClusterRole - resources: - - goodcr01 - - goodcr02 - - goodcr03 - - goodcr04 - - goodcr05 - - default-rules - result: pass -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: Role - resources: - - badrole01 - - badrole02 - - badrole03 - result: fail -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: Role - resources: - - goodrole01 - - goodrole02 - - goodrole03 - - goodrole04 - - goodrole05 - - default-rules - result: pass - diff --git a/other-cel/restrict-wildcard-resources/.kyverno-test/resource.yaml b/other-cel/restrict-wildcard-resources/.kyverno-test/resource.yaml deleted file mode 100644 index 142b51625..000000000 --- a/other-cel/restrict-wildcard-resources/.kyverno-test/resource.yaml +++ /dev/null @@ -1,179 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces", "*", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["update", "list", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr04 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr05 -rules: -- apiGroups: ["*"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: default-rules -rules: null ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole01 -rules: -- apiGroups: [""] - resources: ["namespaces", "*", "pods"] - verbs: ["get", "create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "list"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole03 -rules: -- apiGroups: [""] - resources: ["*"] - verbs: ["update", "list", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole04 -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole05 -rules: -- apiGroups: ["*"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: default-rules -rules: null ---- - diff --git a/other-cel/restrict-wildcard-resources/artifacthub-pkg.yml b/other-cel/restrict-wildcard-resources/artifacthub-pkg.yml deleted file mode 100644 index 1a402cedb..000000000 --- a/other-cel/restrict-wildcard-resources/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-wildcard-resources-cel -version: 1.0.0 -displayName: Restrict Wildcards in Resources in CEL expressions -description: >- - Wildcards ('*') in resources grants access to all of the resources referenced by the given API group and does not follow the principal of least privilege. As much as possible, avoid such open resources unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml - ``` -keywords: - - kyverno - - Security - - EKS Best Practices - - CEL Expressions -readme: | - Wildcards ('*') in resources grants access to all of the resources referenced by the given API group and does not follow the principal of least privilege. As much as possible, avoid such open resources unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "ClusterRole, Role, RBAC" -digest: 02918a02f88cd193f14914db60e99be721c738789e063eeb77efe8eb80e1e30c -createdAt: "2024-04-21T15:05:39Z" - diff --git a/other-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/other-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml deleted file mode 100644 index 2a47461a4..000000000 --- a/other-cel/restrict-wildcard-resources/restrict-wildcard-resources.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-wildcard-resources - annotations: - policies.kyverno.io/title: Restrict Wildcards in Resources in CEL expressions - policies.kyverno.io/category: Security, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: ClusterRole, Role, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Wildcards ('*') in resources grants access to all of the resources referenced by - the given API group and does not follow the principal of least privilege. As much as possible, - avoid such open resources unless scoped to perhaps a custom API group. - This policy blocks any Role or ClusterRole that contains a wildcard entry in - the resources list found in any rule. -spec: - validationFailureAction: Audit - background: true - rules: - - name: wildcard-resources - match: - any: - - resources: - kinds: - - Role - - ClusterRole - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.resources)" - message: "Use of a wildcard ('*') in any resources is forbidden." - diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 02e9b4de5..000000000 --- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-wildcard-verbs -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-wildcard-verbs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-wildcard-verbs - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: cr-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: cr-bad.yaml - - apply: - file: role-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: role-bad.yaml - diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/cr-bad.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/cr-bad.yaml deleted file mode 100644 index f94df1931..000000000 --- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/cr-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces","pods"] - verbs: ["*"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "*"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["update", "*", "create"] - diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/cr-good.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/cr-good.yaml deleted file mode 100644 index 40d9e341e..000000000 --- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/cr-good.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr04 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: omitted-rules ---- - diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index c30a6e387..000000000 --- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-wildcard-verbs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/role-bad.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/role-bad.yaml deleted file mode 100644 index f385dcbc8..000000000 --- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/role-bad.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces","pods"] - verbs: ["*"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "*"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["update", "*", "create"] - diff --git a/other-cel/restrict-wildcard-verbs/.chainsaw-test/role-good.yaml b/other-cel/restrict-wildcard-verbs/.chainsaw-test/role-good.yaml deleted file mode 100644 index 9c1992421..000000000 --- a/other-cel/restrict-wildcard-verbs/.chainsaw-test/role-good.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodcr04 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: omitted-rules ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: empty-rules -rules: ---- diff --git a/other-cel/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml b/other-cel/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c2d9246a5..000000000 --- a/other-cel/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-wildcard-verbs -policies: -- ../restrict-wildcard-verbs.yaml -resources: -- resource.yaml -results: -- policy: restrict-wildcard-verbs - rule: wildcard-verbs - kind: ClusterRole - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail -- policy: restrict-wildcard-verbs - rule: wildcard-verbs - kind: ClusterRole - resources: - - goodcr01 - - goodcr02 - - goodcr03 - - goodcr04 - - default-rules - result: pass -- policy: restrict-wildcard-verbs - rule: wildcard-verbs - kind: Role - resources: - - badrole01 - - badrole02 - - badrole03 - result: fail -- policy: restrict-wildcard-verbs - rule: wildcard-verbs - kind: Role - resources: - - goodrole01 - - goodrole02 - - goodrole03 - - goodrole04 - - default-rules - result: pass - diff --git a/other-cel/restrict-wildcard-verbs/.kyverno-test/resource.yaml b/other-cel/restrict-wildcard-verbs/.kyverno-test/resource.yaml deleted file mode 100644 index 980f3de97..000000000 --- a/other-cel/restrict-wildcard-verbs/.kyverno-test/resource.yaml +++ /dev/null @@ -1,160 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr01 -rules: -- apiGroups: [""] - resources: ["namespaces","pods"] - verbs: ["*"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "*"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr03 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["update", "*", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: goodcr04 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["create", "update", "patch"] ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: default-rules -rules: null ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole01 -rules: -- apiGroups: [""] - resources: ["namespaces","pods"] - verbs: ["*"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole02 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["get", "watch", "*"] -- apiGroups: [""] - resources: ["namespaces", "secrets", "pods"] - verbs: ["create", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: badrole03 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["update", "*", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole01 -rules: -- apiGroups: [""] - resources: ["pods", "namespaces"] - verbs: ["get", "watch", "list"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole02 -rules: -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "create", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole03 -rules: -- apiGroups: ["batch"] - resources: ["secrets"] - verbs: ["create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: goodrole04 -rules: -- apiGroups: ["apps"] - resources: ["*"] - verbs: ["create", "update", "patch"] ---- -# In the manifest, if the 'rules' field is not specified or is specified as 'rules: ' without a value, -# it will be set to null by default when created in the cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: default-rules -rules: null ---- diff --git a/other-cel/restrict-wildcard-verbs/artifacthub-pkg.yml b/other-cel/restrict-wildcard-verbs/artifacthub-pkg.yml deleted file mode 100644 index 72eb5a324..000000000 --- a/other-cel/restrict-wildcard-verbs/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: restrict-wildcard-verbs-cel -version: 1.0.0 -displayName: Restrict Wildcard in Verbs in CEL expressions -description: >- - Wildcards ('*') in verbs grants all access to the resources referenced by it and does not follow the principal of least privilege. As much as possible, avoid such open verbs unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the verbs list found in any rule. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml - ``` -keywords: - - kyverno - - Security - - EKS Best Practices - - CEL Expressions -readme: | - Wildcards ('*') in verbs grants all access to the resources referenced by it and does not follow the principal of least privilege. As much as possible, avoid such open verbs unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the verbs list found in any rule. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Role, ClusterRole, RBAC" -digest: f94aaca4f8e88c242878b4c0ed47e5f3aaec1b1d05ffcb59b551f41a135bc7a7 -createdAt: "2024-04-21T15:09:55Z" - diff --git a/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml b/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml deleted file mode 100644 index 8aea74b48..000000000 --- a/other-cel/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-wildcard-verbs - annotations: - policies.kyverno.io/title: Restrict Wildcard in Verbs in CEL expressions - policies.kyverno.io/category: Security, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Wildcards ('*') in verbs grants all access to the resources referenced by it and - does not follow the principal of least privilege. As much as possible, - avoid such open verbs unless scoped to perhaps a custom API group. - This policy blocks any Role or ClusterRole that contains a wildcard entry in - the verbs list found in any rule. -spec: - validationFailureAction: Audit - background: true - rules: - - name: wildcard-verbs - match: - any: - - resources: - kinds: - - Role - - ClusterRole - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.verbs)" - message: "Use of a wildcard ('*') in any verbs is forbidden." - diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index d0c7d8295..000000000 --- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: topologyspreadconstraints-policy -spec: - steps: - - name: step-01 - try: - - apply: - file: ../topologyspreadconstraints-policy.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: topologyspreadconstraints-policy - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: podcontrollers-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontrollers-bad.yaml diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml deleted file mode 100644 index 040170cce..000000000 --- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy01 - labels: - app: busybox -spec: - selector: - matchLabels: - app: busybox - replicas: 3 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy02 - labels: - app: busybox -spec: - selector: - matchLabels: - app: busybox - replicas: 3 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeploy03 - labels: - app: busybox -spec: - selector: - matchLabels: - app: busybox - replicas: 3 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml deleted file mode 100644 index 712dc9937..000000000 --- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml +++ /dev/null @@ -1,91 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy01 - labels: - app: busybox -spec: - selector: - matchLabels: - app: busybox - replicas: 3 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy02 - labels: - app: busybox -spec: - selector: - matchLabels: - app: busybox - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: busybox ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeploy03 - labels: - app: busybox -spec: - selector: - matchLabels: - app: busybox - replicas: 1 - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml b/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 42ae17e55..000000000 --- a/other-cel/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: topologyspreadconstraints-policy -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other-cel/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml b/other-cel/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index d1e1c210e..000000000 --- a/other-cel/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: topologyspreadconstraints -policies: -- ../topologyspreadconstraints-policy.yaml -resources: -- resource-fail1.yaml -- resource-fail2.yaml -- resource-fail3.yaml -- resource-pass.yaml -- resource-skip.yaml -results: -- kind: StatefulSet - policy: topologyspreadconstraints-policy - resources: - - monitoring/badss01 - - monitoring/badss02 - - monitoring/badss03 - result: fail - rule: spread-pods -- kind: StatefulSet - policy: topologyspreadconstraints-policy - resources: - - monitoring/goodss01 - result: pass - rule: spread-pods -- kind: StatefulSet - policy: topologyspreadconstraints-policy - resources: - - monitoring/skipss01 - result: skip - rule: spread-pods diff --git a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml b/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml deleted file mode 100644 index 065a47ff5..000000000 --- a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: badss01 - namespace: monitoring - labels: - app: thanos-memcached -spec: - selector: - matchLabels: - app: thanos-memcached - serviceName: memcached - replicas: 3 - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: thanos-memcached - spec: - containers: - - name: memcached - image: memcached:1.6.17-alpine - command: - - memcached - - -m 2048 - - -o - - modern - - -v - ports: - - name: tcp-memcached - containerPort: 11211 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached diff --git a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml b/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml deleted file mode 100644 index 0031995fc..000000000 --- a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: badss02 - namespace: monitoring - labels: - app: thanos-memcached -spec: - selector: - matchLabels: - app: thanos-memcached - serviceName: memcached - replicas: 3 - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: thanos-memcached - spec: - containers: - - name: memcached - image: memcached:1.6.17-alpine - command: - - memcached - - -m 2048 - - -o - - modern - - -v - ports: - - name: tcp-memcached - containerPort: 11211 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached diff --git a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml b/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml deleted file mode 100644 index d88b17bf3..000000000 --- a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: badss03 - namespace: monitoring - labels: - app: thanos-memcached -spec: - selector: - matchLabels: - app: thanos-memcached - serviceName: memcached - replicas: 3 - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: thanos-memcached - spec: - containers: - - name: memcached - image: memcached:1.6.17-alpine - command: - - memcached - - -m 2048 - - -o - - modern - - -v - ports: - - name: tcp-memcached - containerPort: 11211 diff --git a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml b/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml deleted file mode 100644 index 0310e6b00..000000000 --- a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: goodss01 - namespace: monitoring - labels: - app: thanos-memcached -spec: - selector: - matchLabels: - app: thanos-memcached - serviceName: memcached - replicas: 3 - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: thanos-memcached - spec: - containers: - - name: memcached - image: memcached:1.6.17-alpine - command: - - memcached - - -m 2048 - - -o - - modern - - -v - ports: - - name: tcp-memcached - containerPort: 11211 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached diff --git a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml b/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml deleted file mode 100644 index 6761e7076..000000000 --- a/other-cel/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: skipss01 - namespace: monitoring - labels: - app: thanos-memcached -spec: - selector: - matchLabels: - app: thanos-memcached - serviceName: memcached - replicas: 1 - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: thanos-memcached - spec: - containers: - - name: memcached - image: memcached:1.6.17-alpine - command: - - memcached - - -m 2048 - - -o - - modern - - -v - ports: - - name: tcp-memcached - containerPort: 11211 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: foo.bar/test - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app: thanos-memcached diff --git a/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml b/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml deleted file mode 100644 index 5e3f12c95..000000000 --- a/other-cel/topologyspreadconstraints-policy/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: topologyspreadconstraints-policy-cel -version: 1.0.0 -displayName: Spread Pods Across Nodes & Zones in CEL expressions -description: >- - Deployments to a Kubernetes cluster with multiple availability zones often need to distribute those replicas to align with those zones to ensure site-level failures do not impact availability. This policy ensures topologySpreadConstraints are defined, to spread pods over nodes and zones. Deployments or Statefulsets with leass than 3 replicas are skipped. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml - ``` -keywords: - - kyverno - - Sample - - CEL Expressions -readme: | - Deployments to a Kubernetes cluster with multiple availability zones often need to distribute those replicas to align with those zones to ensure site-level failures do not impact availability. This policy ensures topologySpreadConstraints are defined, to spread pods over nodes and zones. Deployments or Statefulsets with leass than 3 replicas are skipped. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Deployment, StatefulSet" -digest: cf0723d2305d06f553934a723122bd60444b1dcff192dc9f81177c1e05951a7e -createdAt: "2024-04-29T15:49:11Z" - diff --git a/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml b/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml deleted file mode 100644 index 10fe684f3..000000000 --- a/other-cel/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: topologyspreadconstraints-policy - annotations: - policies.kyverno.io/title: Spread Pods Across Nodes & Zones in CEL expressions - kyverno.io/kubernetes-version: "1.26-1.27" - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/category: Sample in CEL - policies.kyverno.io/description: >- - Deployments to a Kubernetes cluster with multiple availability zones often need to - distribute those replicas to align with those zones to ensure site-level failures - do not impact availability. This policy ensures topologySpreadConstraints are defined, - to spread pods over nodes and zones. Deployments or Statefulsets with less than 3 - replicas are skipped. - policies.kyverno.io/minversion: 1.11.0 - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Deployment, StatefulSet -spec: - background: true - failurePolicy: Ignore - validationFailureAction: Audit - rules: - - name: spread-pods - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - operations: - - CREATE - - UPDATE - celPreconditions: - - name: "replicas-must-be-3-or-more" - expression: "object.spec.replicas >= 3" - validate: - cel: - expressions: - - expression: >- - size(object.spec.template.spec.?topologySpreadConstraints.orValue([]).filter(t, t.topologyKey == 'kubernetes.io/hostname' || t.topologyKey == 'topology.kubernetes.io/zone')) == 2 - message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone are required" - diff --git a/other/add-certificates-volume/.chainsaw-test/chainsaw-test.yaml b/other/add-certificates-volume/.chainsaw-test/chainsaw-test.yaml index 25bdd805b..66a3d0778 100755 --- a/other/add-certificates-volume/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-certificates-volume/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -32,9 +31,27 @@ spec: file: pod-not-patched.yaml - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n other-certvol-ns - - sleep: - duration: 20s - - script: - content: kubectl delete pods --all --force --grace-period=0 -n other-certvol-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - other-certvol-ns + entrypoint: kubectl + - command: + args: + - "20" + entrypoint: sleep + - command: + args: + - delete + - pods + - --all + - --force + - --grace-period=0 + - -n + - other-certvol-ns + entrypoint: kubectl diff --git a/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml b/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml index a69236e93..46f9e0e22 100644 --- a/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml +++ b/other/add-certificates-volume/.chainsaw-test/pod-not-patched.yaml @@ -8,12 +8,12 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs @@ -31,12 +31,12 @@ spec: automountServiceAccountToken: false containers: - name: pod03-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: pod03-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs @@ -56,12 +56,12 @@ spec: automountServiceAccountToken: false containers: - name: pod04-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: pod04-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs diff --git a/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml b/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml index ceb5a23ac..c6aa28284 100644 --- a/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-certificates-volume/.chainsaw-test/pod-resources-patched.yaml @@ -8,12 +8,12 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs diff --git a/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml b/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml index aa823debf..7ec78b001 100644 --- a/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml +++ b/other/add-certificates-volume/.chainsaw-test/pod-resources.yaml @@ -9,9 +9,9 @@ spec: automountServiceAccountToken: false containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -24,9 +24,9 @@ spec: automountServiceAccountToken: false containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -37,9 +37,9 @@ spec: automountServiceAccountToken: false containers: - name: pod03-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod03-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -52,6 +52,6 @@ spec: automountServiceAccountToken: false containers: - name: pod04-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod04-02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml b/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml index 78905d2fe..526b2f086 100644 --- a/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml +++ b/other/add-certificates-volume/.chainsaw-test/podcontroller-not-patched.yaml @@ -20,12 +20,12 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs @@ -57,12 +57,12 @@ spec: automountServiceAccountToken: false containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs diff --git a/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml b/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml index 45e0837e4..fa9a421d4 100644 --- a/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-certificates-volume/.chainsaw-test/podcontroller-patched.yaml @@ -20,12 +20,12 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs diff --git a/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml b/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml index d5740571f..ea92aa267 100644 --- a/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-certificates-volume/.chainsaw-test/podcontroller-resources.yaml @@ -21,9 +21,9 @@ spec: automountServiceAccountToken: false containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -48,9 +48,9 @@ spec: automountServiceAccountToken: false containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -75,6 +75,6 @@ spec: automountServiceAccountToken: false containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml b/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml index be0c14872..a65c4f352 100644 --- a/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml +++ b/other/add-certificates-volume/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-certificates-volume status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-default-resources/.chainsaw-test/chainsaw-test.yaml b/other/add-default-resources/.chainsaw-test/chainsaw-test.yaml index 0f80d0fc6..dcd8dd9f6 100755 --- a/other/add-default-resources/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-default-resources/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml b/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml index 4f277b474..29b66b141 100644 --- a/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-default-resources/.chainsaw-test/pod-resources-patched.yaml @@ -5,13 +5,13 @@ metadata: spec: containers: - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" cpu: "100m" - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "500Mi" @@ -24,13 +24,13 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" cpu: "100m" - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" diff --git a/other/add-default-resources/.chainsaw-test/pod-resources.yaml b/other/add-default-resources/.chainsaw-test/pod-resources.yaml index 67436ddcd..01994cef1 100644 --- a/other/add-default-resources/.chainsaw-test/pod-resources.yaml +++ b/other/add-default-resources/.chainsaw-test/pod-resources.yaml @@ -5,13 +5,13 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "500Mi" cpu: "500m" - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -20,9 +20,9 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: "500m" \ No newline at end of file diff --git a/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml b/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml index 62e72e025..70fb20b9f 100644 --- a/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-default-resources/.chainsaw-test/podcontroller-patched.yaml @@ -17,13 +17,13 @@ spec: spec: containers: - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" cpu: "100m" - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "500Mi" @@ -48,13 +48,13 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" cpu: "100m" - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" @@ -72,13 +72,13 @@ spec: spec: containers: - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" cpu: "100m" - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "500Mi" @@ -97,13 +97,13 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" cpu: "100m" - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" diff --git a/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml b/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml index f17ab36f1..3fb503e7a 100644 --- a/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-default-resources/.chainsaw-test/podcontroller-resources.yaml @@ -17,13 +17,13 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "500Mi" cpu: "500m" - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -44,9 +44,9 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: "500m" @@ -63,13 +63,13 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "500Mi" cpu: "500m" - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure --- apiVersion: batch/v1 @@ -84,9 +84,9 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: "500m" diff --git a/other/add-default-resources/.chainsaw-test/policy-ready.yaml b/other/add-default-resources/.chainsaw-test/policy-ready.yaml index c50571612..6b339310e 100644 --- a/other/add-default-resources/.chainsaw-test/policy-ready.yaml +++ b/other/add-default-resources/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-default-resources status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-default-resources/add-default-resources.yaml b/other/add-default-resources/add-default-resources.yaml index c3045562f..e91d5d2ef 100644 --- a/other/add-default-resources/add-default-resources.yaml +++ b/other/add-default-resources/add-default-resources.yaml @@ -34,7 +34,7 @@ spec: - UPDATE mutate: foreach: - - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" + - list: "request.object.spec.containers[]" patchStrategicMerge: spec: containers: diff --git a/other/add-default-resources/artifacthub-pkg.yml b/other/add-default-resources/artifacthub-pkg.yml index 2c067222b..c8bf5ecb8 100644 --- a/other/add-default-resources/artifacthub-pkg.yml +++ b/other/add-default-resources/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.26" kyverno/subject: "Pod" -digest: 24a5a9e9a4ee1e83ab00bb85718a70ed0cd00d28506dbc1192ab3901bd0a6bcf +digest: 215f880a62b2c2e7627321623a22037af3f89e3e740372f02a40214da8163d79 diff --git a/other/add-default-securitycontext/.chainsaw-test/chainsaw-test.yaml b/other/add-default-securitycontext/.chainsaw-test/chainsaw-test.yaml index 2a525d3d7..dd47f61f9 100755 --- a/other/add-default-securitycontext/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-default-securitycontext/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml b/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml index 7cc10d6d2..42d44876d 100644 --- a/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-default-securitycontext/.chainsaw-test/pod-resources-patched.yaml @@ -10,7 +10,7 @@ spec: fsGroup: 2000 containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -24,4 +24,4 @@ spec: fsGroup: 2000 containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml b/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml index 64d69c149..cbacca5b3 100644 --- a/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml +++ b/other/add-default-securitycontext/.chainsaw-test/pod-resources.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,4 +16,4 @@ spec: runAsNonRoot: false containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml b/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml index 17bac1cad..5b4d38770 100644 --- a/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-default-securitycontext/.chainsaw-test/podcontroller-patched.yaml @@ -22,7 +22,7 @@ spec: runAsGroup: 3000 containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -41,5 +41,5 @@ spec: fsGroup: 2000 containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml b/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml index 9a0fd1453..c2f5d2803 100644 --- a/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-default-securitycontext/.chainsaw-test/podcontroller-resources.yaml @@ -19,7 +19,7 @@ spec: fsGroup: 1000 containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -35,5 +35,5 @@ spec: runAsGroup: 2000 containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml b/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml index 3e89df4d1..f594dc691 100644 --- a/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml +++ b/other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-default-securitycontext status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-emptydir-sizelimit/.chainsaw-test/chainsaw-test.yaml b/other/add-emptydir-sizelimit/.chainsaw-test/chainsaw-test.yaml index af2cc175f..615aa56b8 100755 --- a/other/add-emptydir-sizelimit/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-emptydir-sizelimit/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-env-vars-from-cm/.chainsaw-test/chainsaw-test.yaml b/other/add-env-vars-from-cm/.chainsaw-test/chainsaw-test.yaml index 18e653208..173b7520e 100755 --- a/other/add-env-vars-from-cm/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-env-vars-from-cm/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml index 0a72148ba..45cb5b925 100644 --- a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources-patched.yaml @@ -5,23 +5,23 @@ metadata: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod01-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars @@ -33,23 +33,23 @@ metadata: spec: initContainers: - name: pod02-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod02-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars \ No newline at end of file diff --git a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml index 8b43d2273..b413dcd51 100644 --- a/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml +++ b/other/add-env-vars-from-cm/.chainsaw-test/pod-resources.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -21,17 +21,17 @@ metadata: spec: initContainers: - name: pod02-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: somenvars containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: somenvars - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml index a92a49354..4be76e7a5 100644 --- a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-patched.yaml @@ -17,23 +17,23 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod01-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars @@ -50,23 +50,23 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod01-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: nsenvvars diff --git a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml index 1f1b58257..73006dd7e 100644 --- a/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-env-vars-from-cm/.chainsaw-test/podcontroller-resources.yaml @@ -17,20 +17,20 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: somenvars containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: somenvars - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -44,18 +44,18 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: somenvars containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - configMapRef: name: somenvars - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml b/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml index f405b3afc..f7a674d66 100644 --- a/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml +++ b/other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-env-vars-from-cm status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-image-as-env-var/.chainsaw-test/chainsaw-test.yaml b/other/add-image-as-env-var/.chainsaw-test/chainsaw-test.yaml index f024f465a..cb701a244 100755 --- a/other/add-image-as-env-var/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-image-as-env-var/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/chainsaw-test.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/chainsaw-test.yaml index 9fb635c5d..7c27ecd8d 100755 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml index 9bb9e0a3f..06a84293d 100644 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-not-patched.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: pod05-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod05-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod05-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod05-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret --- @@ -23,8 +23,8 @@ metadata: spec: containers: - name: pod06-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod06-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret \ No newline at end of file diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml index 4980087ab..b2accd0f9 100644 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources-patched.yaml @@ -7,7 +7,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret --- @@ -20,12 +20,12 @@ spec: - name: pod02-01-init image: corp.reg.com/busybox:1.35 - name: pod02-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret --- @@ -36,14 +36,14 @@ metadata: spec: initContainers: - name: pod03-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod03-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod03-01 image: corp.reg.com/busybox:1.35 - name: pod03-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret - name: foo-bar @@ -55,13 +55,13 @@ metadata: spec: initContainers: - name: pod04-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod04-02-init image: corp.reg.com/busybox:1.35 containers: - name: pod04-01 image: corp.reg.com/busybox:1.35 - name: pod04-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret \ No newline at end of file diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml index b8705826b..a10b115ef 100644 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/pod-resources.yaml @@ -7,7 +7,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,12 +18,12 @@ spec: - name: pod02-01-init image: corp.reg.com/busybox:1.35 - name: pod02-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -32,14 +32,14 @@ metadata: spec: initContainers: - name: pod03-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod03-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod03-01 image: corp.reg.com/busybox:1.35 - name: pod03-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: foo-bar --- @@ -50,14 +50,14 @@ metadata: spec: initContainers: - name: pod04-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod04-02-init image: corp.reg.com/busybox:1.35 containers: - name: pod04-01 image: corp.reg.com/busybox:1.35 - name: pod04-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret --- @@ -68,14 +68,14 @@ metadata: spec: initContainers: - name: pod05-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod05-02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: pod05-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod05-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -84,6 +84,6 @@ metadata: spec: containers: - name: pod06-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod06-02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml index 2f90e7068..d775e2a4d 100644 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-patched.yaml @@ -17,14 +17,14 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init image: corp.reg.com/busybox:1.35 containers: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret - name: foo-bar @@ -41,14 +41,14 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init image: corp.reg.com/busybox:1.35 containers: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret - name: foo-bar diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml index d4b3abc50..f0e8dc08f 100644 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/podcontroller-resources.yaml @@ -17,14 +17,14 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init image: corp.reg.com/busybox:1.35 containers: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: foo-bar --- @@ -40,14 +40,14 @@ spec: spec: initContainers: - name: pod01-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02-init image: corp.reg.com/busybox:1.35 containers: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: foo-bar restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml index 3f891b23a..5d9b0ed15 100644 --- a/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml +++ b/other/add-imagepullsecrets-for-containers-and-initcontainers/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-imagepullsecrets-for-containers-and-initcontainers status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml b/other/add-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml index a942742fd..df2bc2756 100755 --- a/other/add-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml b/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml index 300a7330d..b7f43ee27 100644 --- a/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/pod-not-patched.yaml @@ -6,8 +6,8 @@ metadata: spec: containers: - name: pod04-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod04-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret \ No newline at end of file diff --git a/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml b/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml index b37c9a1dc..2e1cc12bc 100644 --- a/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/pod-resources-patched.yaml @@ -7,7 +7,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret --- @@ -18,7 +18,7 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02 image: corp.reg.com/busybox:1.35 imagePullSecrets: @@ -32,7 +32,7 @@ metadata: spec: containers: - name: pod03-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod03-02 image: corp.reg.com/busybox:1.35 imagePullSecrets: diff --git a/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml b/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml index 05d8c5dcf..4470c7f77 100644 --- a/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/pod-resources.yaml @@ -7,7 +7,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,7 +16,7 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod02-02 image: corp.reg.com/busybox:1.35 imagePullSecrets: @@ -29,7 +29,7 @@ metadata: spec: containers: - name: pod03-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod03-02 image: corp.reg.com/busybox:1.35 imagePullSecrets: @@ -42,6 +42,6 @@ metadata: spec: containers: - name: pod04-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod04-02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml index 2fa7591f0..3c6b5787c 100644 --- a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-patched.yaml @@ -19,7 +19,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret - name: foo-bar @@ -38,7 +38,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: my-secret - name: foo-bar diff --git a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml index 14eb62a3a..ccc39cfe5 100644 --- a/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/podcontroller-resources.yaml @@ -19,7 +19,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: foo-bar --- @@ -37,7 +37,7 @@ spec: - name: pod01-01 image: corp.reg.com/busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: foo-bar restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml b/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml index 912de8e6d..d0855e8ab 100644 --- a/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml +++ b/other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-imagepullsecrets status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-labels/.chainsaw-test/chainsaw-test.yaml b/other/add-labels/.chainsaw-test/chainsaw-test.yaml index 0e0f41503..a66b3f424 100755 --- a/other/add-labels/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-labels/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-labels/.chainsaw-test/pod-resources-patched.yaml b/other/add-labels/.chainsaw-test/pod-resources-patched.yaml index 6b5b3c6e2..f328a3db8 100644 --- a/other/add-labels/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-labels/.chainsaw-test/pod-resources-patched.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -19,4 +19,4 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-labels/.chainsaw-test/pod-resources.yaml b/other/add-labels/.chainsaw-test/pod-resources.yaml index 34e771812..3d0269253 100644 --- a/other/add-labels/.chainsaw-test/pod-resources.yaml +++ b/other/add-labels/.chainsaw-test/pod-resources.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,4 +16,4 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-labels/.chainsaw-test/policy-ready.yaml b/other/add-labels/.chainsaw-test/policy-ready.yaml index 7e9f14965..7f1d7387c 100644 --- a/other/add-labels/.chainsaw-test/policy-ready.yaml +++ b/other/add-labels/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-labels status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-ndots/.chainsaw-test/chainsaw-test.yaml b/other/add-ndots/.chainsaw-test/chainsaw-test.yaml index d01763743..8351f261d 100755 --- a/other/add-ndots/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-ndots/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml b/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml index cbb19c3f4..dec79ccb9 100644 --- a/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-ndots/.chainsaw-test/pod-resources-patched.yaml @@ -9,7 +9,7 @@ spec: value: "1" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -22,4 +22,4 @@ spec: value: "1" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-ndots/.chainsaw-test/pod-resources.yaml b/other/add-ndots/.chainsaw-test/pod-resources.yaml index 7a71b7c1b..25cdbe673 100644 --- a/other/add-ndots/.chainsaw-test/pod-resources.yaml +++ b/other/add-ndots/.chainsaw-test/pod-resources.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,4 +18,4 @@ spec: value: "4" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml b/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml index 25b9d8e89..85ab92e24 100644 --- a/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-ndots/.chainsaw-test/podcontroller-patched.yaml @@ -21,7 +21,7 @@ spec: value: "1" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,5 +39,5 @@ spec: value: "1" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml b/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml index 3f5184f8a..854a38c54 100644 --- a/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-ndots/.chainsaw-test/podcontroller-resources.yaml @@ -21,7 +21,7 @@ spec: value: "4" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,5 +39,5 @@ spec: value: "4" containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-ndots/.chainsaw-test/policy-ready.yaml b/other/add-ndots/.chainsaw-test/policy-ready.yaml index 7b66e88d1..d3a5e5e0a 100644 --- a/other/add-ndots/.chainsaw-test/policy-ready.yaml +++ b/other/add-ndots/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-ndots status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-node-affinity/.chainsaw-test/chainsaw-test.yaml b/other/add-node-affinity/.chainsaw-test/chainsaw-test.yaml index b12b2b479..56fe80209 100755 --- a/other/add-node-affinity/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-node-affinity/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-apply-1.yaml deleted file mode 100755 index 724e95832..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-apply-1.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: label-nodes-all -spec: - mutateExistingOnPolicyUpdate: true - rules: - - match: - any: - - resources: - kinds: - - Node - mutate: - patchStrategicMerge: - metadata: - labels: - foo: bar - targets: - - apiVersion: v1 - kind: Node - name: '{{ request.object.metadata.name }}' - name: label-node-foo diff --git a/other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-assert-1.yaml deleted file mode 100755 index 4f14a601c..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-assert-1.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: Node -metadata: - labels: - foo: bar diff --git a/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml b/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 599367523..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: add-node-labels-pod -spec: - steps: - - name: step-01 - try: - - apply: - file: permissions.yaml - - apply: - file: clusterroles.yaml - - script: - content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[Binding,\*,\*\]//g' | sed 's/\[Pod\/binding,\*,\*\]//g' | sed 's/\[Node\/\*,\*,\*\]//g' | sed 's/\[Node,\*,\*\]//g' | kubectl apply -f - - - sleep: - duration: 5s - - name: step-02 - try: - - apply: - file: chainsaw-step-02-apply-1.yaml - - assert: - file: chainsaw-step-02-assert-1.yaml - - name: step-03 - try: - - apply: - file: ../add-node-labels-pod.yaml - - assert: - file: policy-ready.yaml - - name: step-04 - try: - - apply: - file: pod.yaml - - assert: - file: pod-patched01.yaml - - assert: - file: pod-patched02.yaml - - name: step-05 - try: - - script: - content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[SelfSubjectAccessReview,\*,\*\]/\[SelfSubjectAccessReview,\*,\*\] \[Binding,\*,\*\] \[Pod\/binding,\*,\*\]/g' | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' | kubectl apply -f - diff --git a/other/add-node-labels-pod/.chainsaw-test/clusterroles.yaml b/other/add-node-labels-pod/.chainsaw-test/clusterroles.yaml deleted file mode 100644 index 98c544bdb..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/clusterroles.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - name: kyverno:background-controller:update-pods -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:background-controller:label-nodes-cri - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - update \ No newline at end of file diff --git a/other/add-node-labels-pod/.chainsaw-test/permissions.yaml b/other/add-node-labels-pod/.chainsaw-test/permissions.yaml deleted file mode 100644 index 28ded9e57..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:csr - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" -rules: -- apiGroups: - - '' - resources: - - nodes - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml b/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml deleted file mode 100644 index bf514fcb6..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - app: busybox - foo: bar - name: pod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml b/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml deleted file mode 100644 index 65317e2b1..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/pod-patched02.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: rab - labels: - app: busybox - foo: bar - name: pod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other/add-node-labels-pod/.chainsaw-test/pod.yaml b/other/add-node-labels-pod/.chainsaw-test/pod.yaml deleted file mode 100644 index ac14625d7..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/pod.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - app: busybox - name: pod01 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - annotations: - foo: rab - labels: - app: busybox - name: pod02 -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other/add-node-labels-pod/.chainsaw-test/policy-ready.yaml b/other/add-node-labels-pod/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index e465e7fd5..000000000 --- a/other/add-node-labels-pod/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-node-labels-pod -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/other/add-node-labels-pod/add-node-labels-pod.yaml b/other/add-node-labels-pod/add-node-labels-pod.yaml deleted file mode 100644 index 993860a5c..000000000 --- a/other/add-node-labels-pod/add-node-labels-pod.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: kyverno.io/v2beta1 -kind: ClusterPolicy -metadata: - name: add-node-labels-pod - annotations: - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/title: Add scheduled Node's labels to a Pod - policies.kyverno.io/category: Other - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.10.0 - policies.kyverno.io/minversion: 1.10.0 - kyverno.io/kubernetes-version: "1.26" - policies.kyverno.io/description: >- - Containers running in Pods may sometimes need access to node-specific information on - which the Pod has been scheduled. A common use case is node topology labels to ensure - pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding - policy already does this for annotations, but it does not handle labels. A useful use - case is for passing metric label information to ServiceMonitors and then into Prometheus. - This policy watches for Pod binding events when the pod is scheduled and then - asynchronously mutates the existing Pod to add the labels. - This policy requires the following changes to common default configurations: - - The kyverno resourceFilter should not filter Pod/binding resources. - - The kyverno backgroundController service account requires Update permission on pods. - It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles -spec: - rules: - - name: project-foo - match: - any: - - resources: - kinds: - - Pod/binding - context: - - name: node - variable: - jmesPath: request.object.target.name - default: '' - - name: foolabel - apiCall: - urlPath: "/api/v1/nodes/{{node}}" - jmesPath: "metadata.labels.foo || 'empty'" - mutate: - targets: - - apiVersion: v1 - kind: Pod - name: "{{ request.object.metadata.name }}" - namespace: "{{ request.object.metadata.namespace }}" - patchStrategicMerge: - metadata: - labels: - foo: "{{ foolabel }}" diff --git a/other/add-node-labels-pod/artifacthub-pkg.yml b/other/add-node-labels-pod/artifacthub-pkg.yml deleted file mode 100644 index a6cb3441f..000000000 --- a/other/add-node-labels-pod/artifacthub-pkg.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: add-node-labels-pod -version: 1.0.0 -displayName: Add scheduled Node's labels to a Pod -createdAt: "2024-02-26T19:57:17Z" -description: >- - Containers running in Pods may sometimes need access to node-specific information on - which the Pod has been scheduled. A common use case is node topology labels to ensure - pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding - policy already does this for annotations, but it does not handle labels. A useful use - case is for passing metric label information to ServiceMonitors and then into Prometheus. - This policy watches for Pod binding events when the pod is scheduled and then - asynchronously mutates the existing Pod to add the labels. - This policy requires the following changes to common default configurations: - - The kyverno resourceFilter should not filter Pod/binding resources. - - The kyverno backgroundController service account requires Update permission on pods. - It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/add-node-labels-pod/add-node-labels-pod.yaml - ``` -keywords: - - kyverno - - Other -readme: | - Containers running in Pods may sometimes need access to node-specific information on - which the Pod has been scheduled. A common use case is node topology labels to ensure - pods are spread across failure zones in racks or in the cloud. The mutate-pod-binding - policy already does this for annotations, but it does not handle labels. A useful use - case is for passing metric label information to ServiceMonitors and then into Prometheus. - This policy watches for Pod binding events when the pod is scheduled and then - asynchronously mutates the existing Pod to add the labels. - This policy requires the following changes to common default configurations: - - The kyverno resourceFilter should not filter Pod/binding resources. - - The kyverno backgroundController service account requires Update permission on pods. - It is recommended to use https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.26" - kyverno/subject: "Pod" -digest: 733cc31c2eae76882625ac15173d700659a419d0095c0542aeef272f344d3782 diff --git a/other/add-nodeSelector/.chainsaw-test/chainsaw-test.yaml b/other/add-nodeSelector/.chainsaw-test/chainsaw-test.yaml index ced0f0731..50a7add6c 100755 --- a/other/add-nodeSelector/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-nodeSelector/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml b/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml index 1cfb8880c..76a3eb9fd 100644 --- a/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-nodeSelector/.chainsaw-test/pod-resources-patched.yaml @@ -8,7 +8,7 @@ spec: color: orange containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -21,4 +21,4 @@ spec: color: orange containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml b/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml index ea08d739f..ccea4c204 100644 --- a/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml +++ b/other/add-nodeSelector/.chainsaw-test/pod-resources.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,4 +18,4 @@ spec: color: blue containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml b/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml index 6c5951aa4..fbb0b6285 100644 --- a/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-nodeSelector/.chainsaw-test/podcontroller-patched.yaml @@ -21,7 +21,7 @@ spec: color: orange containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,5 +39,5 @@ spec: color: orange containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml b/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml index 1ad3e86c4..a8ad91284 100644 --- a/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-nodeSelector/.chainsaw-test/podcontroller-resources.yaml @@ -21,7 +21,7 @@ spec: color: blue containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,5 +39,5 @@ spec: color: blue containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml b/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml index b09e0db06..ae9a861dc 100644 --- a/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml +++ b/other/add-nodeSelector/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-nodeselector status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml b/other/add-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml index 0d290be0a..ae4d59091 100755 --- a/other/add-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-pod-proxies/.chainsaw-test/chainsaw-test.yaml b/other/add-pod-proxies/.chainsaw-test/chainsaw-test.yaml index 76b8827d6..3c1877fcb 100755 --- a/other/add-pod-proxies/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-pod-proxies/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml b/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml index 15cc18c3b..5943dced0 100644 --- a/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml +++ b/other/add-pod-proxies/.chainsaw-test/pod-resources-patched.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -14,7 +14,7 @@ spec: - name: NO_PROXY value: localhost,*.example.com - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -30,7 +30,7 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -39,7 +39,7 @@ spec: - name: NO_PROXY value: localhost,*.example.com - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 diff --git a/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml b/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml index a1c193a9b..cefcefe6d 100644 --- a/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml +++ b/other/add-pod-proxies/.chainsaw-test/pod-resources.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod01-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,7 +16,7 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.kyverno.domain:8080 @@ -25,7 +25,7 @@ spec: - name: NO_PROXY value: localhost,*.example.com - name: pod02-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.kyverno.org:8080 diff --git a/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml b/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml index 02b7368b4..f95b070a9 100644 --- a/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml +++ b/other/add-pod-proxies/.chainsaw-test/podcontroller-patched.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -26,7 +26,7 @@ spec: - name: NO_PROXY value: localhost,*.example.com - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -37,7 +37,7 @@ spec: - name: FOO value: bar - name: bb-03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -58,7 +58,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -67,7 +67,7 @@ spec: - name: NO_PROXY value: localhost,*.example.com - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 @@ -78,7 +78,7 @@ spec: - name: FOO value: bar - name: bb-03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.corp.domain:8080 diff --git a/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml b/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml index 3da033baf..69dfa0633 100644 --- a/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml +++ b/other/add-pod-proxies/.chainsaw-test/podcontroller-resources.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.kyverno.domain:8080 @@ -26,14 +26,14 @@ spec: - name: NO_PROXY value: kyverno.org - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.kyverno.org:8080 - name: FOO value: bar - name: bb-03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -47,7 +47,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.kyverno.domain:8080 @@ -56,12 +56,12 @@ spec: - name: NO_PROXY value: kyverno.org - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: HTTP_PROXY value: http://proxy.kyverno.org:8080 - name: FOO value: bar - name: bb-03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml b/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml index 5dadd830a..b41ad9e5f 100644 --- a/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml +++ b/other/add-pod-proxies/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-pod-proxies status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-tolerations/.chainsaw-test/chainsaw-test.yaml b/other/add-tolerations/.chainsaw-test/chainsaw-test.yaml index 4f28089fe..000f47086 100755 --- a/other/add-tolerations/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-tolerations/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-ttl-jobs/.chainsaw-test/chainsaw-test.yaml b/other/add-ttl-jobs/.chainsaw-test/chainsaw-test.yaml index 94d747e5e..58665fb13 100755 --- a/other/add-ttl-jobs/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-ttl-jobs/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml b/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml index 428c98d95..73c047f45 100644 --- a/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml +++ b/other/add-ttl-jobs/.chainsaw-test/job-not-patched.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 @@ -26,7 +26,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 \ No newline at end of file diff --git a/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml b/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml index 05b55c04a..e04aac641 100644 --- a/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml +++ b/other/add-ttl-jobs/.chainsaw-test/job-patched.yaml @@ -8,7 +8,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 diff --git a/other/add-ttl-jobs/.chainsaw-test/job.yaml b/other/add-ttl-jobs/.chainsaw-test/job.yaml index 456158970..26b3dea6f 100644 --- a/other/add-ttl-jobs/.chainsaw-test/job.yaml +++ b/other/add-ttl-jobs/.chainsaw-test/job.yaml @@ -7,7 +7,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 @@ -22,7 +22,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 @@ -41,7 +41,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 4 \ No newline at end of file diff --git a/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml b/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml index 1169d2363..c9d745ae9 100644 --- a/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml +++ b/other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-ttl-jobs status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml b/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml index 1c63dcd9f..0ed333ee4 100755 --- a/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml +++ b/other/add-volume-deployment/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -20,5 +19,7 @@ spec: file: resource-mutated.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "10" + entrypoint: sleep diff --git a/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 7ec4765db..817091e5a 100755 --- a/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: advanced-restrict-image-registries status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml b/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml index 1423f09a6..615df074c 100755 --- a/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml +++ b/other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../advanced-restrict-image-registries.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: advanced-restrict-image-registries - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../advanced-restrict-image-registries.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -46,3 +38,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: advanced-restrict-image-registries diff --git a/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml b/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml index d0ccba896..647879b83 100644 --- a/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml +++ b/other/advanced-restrict-image-registries/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -15,7 +15,7 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02-init image: ghcr.io/busybox:1.35 containers: diff --git a/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml b/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml index 66fcac0df..dd8d68cab 100644 --- a/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml +++ b/other/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml @@ -18,7 +18,7 @@ metadata: policy which gets a global approved registry from a ConfigMap and, based upon an annotation at the Namespace level, gets the registry approved for that Namespace. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: validate-corp-registries diff --git a/other/advanced-restrict-image-registries/artifacthub-pkg.yml b/other/advanced-restrict-image-registries/artifacthub-pkg.yml index 5a3b8e24d..fb7c76feb 100644 --- a/other/advanced-restrict-image-registries/artifacthub-pkg.yml +++ b/other/advanced-restrict-image-registries/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: c582453b374fec43c59725d5f29e195ff29c3489b1c0dc82056b1d5f34e0323b +digest: 097d77b169e92cf516517b46d4be2600f04ea39b3d58650fbaecee13eb201058 diff --git a/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 58bfac67e..089b2140f 100755 --- a/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: allowed-annotations status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/other/allowed-annotations/.chainsaw-test/chainsaw-test.yaml b/other/allowed-annotations/.chainsaw-test/chainsaw-test.yaml index 3c3e9bce9..9a382bf7e 100755 --- a/other/allowed-annotations/.chainsaw-test/chainsaw-test.yaml +++ b/other/allowed-annotations/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../allowed-annotations.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: allowed-annotations - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../allowed-annotations.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: allowed-annotations diff --git a/other/allowed-annotations/.chainsaw-test/pod-bad.yaml b/other/allowed-annotations/.chainsaw-test/pod-bad.yaml index 1e16d26d9..0b5d757e4 100644 --- a/other/allowed-annotations/.chainsaw-test/pod-bad.yaml +++ b/other/allowed-annotations/.chainsaw-test/pod-bad.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -19,7 +19,7 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -31,7 +31,7 @@ metadata: spec: containers: - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -43,4 +43,4 @@ metadata: spec: containers: - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/allowed-annotations/.chainsaw-test/pod-good.yaml b/other/allowed-annotations/.chainsaw-test/pod-good.yaml index cba4a832e..562703bde 100644 --- a/other/allowed-annotations/.chainsaw-test/pod-good.yaml +++ b/other/allowed-annotations/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: pod01-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,7 +18,7 @@ metadata: spec: containers: - name: pod02-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -29,7 +29,7 @@ metadata: spec: containers: - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -41,4 +41,4 @@ metadata: spec: containers: - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml index 95561c9b2..5fc6b883c 100644 --- a/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml +++ b/other/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -44,7 +44,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -62,7 +62,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" @@ -85,7 +85,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" diff --git a/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml b/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml index ea04d0443..0fb2af431 100644 --- a/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml +++ b/other/allowed-annotations/.chainsaw-test/podcontroller-good.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -43,7 +43,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -64,7 +64,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -81,7 +81,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" @@ -104,7 +104,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" @@ -123,7 +123,7 @@ spec: spec: containers: - name: hello - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent command: - "sleep" diff --git a/other/allowed-annotations/allowed-annotations.yaml b/other/allowed-annotations/allowed-annotations.yaml index 8015b1985..f41c976fa 100644 --- a/other/allowed-annotations/allowed-annotations.yaml +++ b/other/allowed-annotations/allowed-annotations.yaml @@ -16,7 +16,7 @@ metadata: This policy demonstrates how to allow two annotations with a specific key name of fluxcd.io/ while denying others that do not meet the pattern. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: allowed-fluxcd-annotations diff --git a/other/allowed-annotations/artifacthub-pkg.yml b/other/allowed-annotations/artifacthub-pkg.yml index 8f54a75a6..5d9eff405 100644 --- a/other/allowed-annotations/artifacthub-pkg.yml +++ b/other/allowed-annotations/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod, Annotation" -digest: 2ad5a50371741705bc0ad146f2da4a2f3f15d5b518f2e88b511b871cdf90b638 +digest: b210e6f51fdf0e8bf5e3c463cf60d5cf890bdfa8b27d899d6947a5bef3709e62 diff --git a/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 857a74d89..8ea7309d1 100755 --- a/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: allowed-base-images status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/other/allowed-base-images/.chainsaw-test/chainsaw-test.yaml b/other/allowed-base-images/.chainsaw-test/chainsaw-test.yaml index 3cae85c76..fa258f1cc 100755 --- a/other/allowed-base-images/.chainsaw-test/chainsaw-test.yaml +++ b/other/allowed-base-images/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../allowed-base-images.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: allowed-base-images - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../allowed-base-images.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -42,3 +34,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: allowed-base-images diff --git a/other/allowed-base-images/.chainsaw-test/pod-bad.yaml b/other/allowed-base-images/.chainsaw-test/pod-bad.yaml index 454b6549a..e8a16cebc 100644 --- a/other/allowed-base-images/.chainsaw-test/pod-bad.yaml +++ b/other/allowed-base-images/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: ko image: ghcr.io/dlorenc/hello-ko:latest --- @@ -18,7 +18,7 @@ spec: - name: ko image: ghcr.io/dlorenc/hello-ko:latest - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -27,4 +27,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml index 8d3413ad3..7937bbad5 100644 --- a/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml +++ b/other/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: kv-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: kv-02 image: ghcr.io/dlorenc/hello-ko:latest --- @@ -39,6 +39,6 @@ spec: image: ghcr.io/dlorenc/hello-ko:latest imagePullPolicy: IfNotPresent - name: hello02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent restartPolicy: OnFailure \ No newline at end of file diff --git a/other/allowed-base-images/allowed-base-images.yaml b/other/allowed-base-images/allowed-base-images.yaml index 63defe1ec..94bd2006f 100644 --- a/other/allowed-base-images/allowed-base-images.yaml +++ b/other/allowed-base-images/allowed-base-images.yaml @@ -18,7 +18,7 @@ metadata: that a container's base, found in an OCI annotation, is in a cluster-wide allow list. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: allowed-base-images match: @@ -41,7 +41,7 @@ spec: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. foreach: - - list: "request.object.spec.[ephemeralContainers, initContainers, containers][]" + - list: "request.object.spec.containers" context: - name: imageData imageRegistry: diff --git a/other/allowed-base-images/artifacthub-pkg.yml b/other/allowed-base-images/artifacthub-pkg.yml index d49dff8a2..b3ecb2ba5 100644 --- a/other/allowed-base-images/artifacthub-pkg.yml +++ b/other/allowed-base-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 1daa6379745925bb2029c676fa2c2ad09cba438d06fd3a7da89220ff213af337 +digest: a0edbf4ddfa0a06c5334133357219b22af4272fc46a30489d9181e29fb38d014 diff --git a/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 9e0786950..d61a55ec9 100755 --- a/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: allowed-image-repos status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true diff --git a/other/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml b/other/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml index 2da273f7f..b67d06ae2 100755 --- a/other/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml +++ b/other/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../allowed-image-repos.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: allowed-image-repos - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../allowed-image-repos.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -40,5 +32,18 @@ spec: file: podcontroller-bad.yaml - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n allowed-image-repos-ns + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: allowed-image-repos + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - allowed-image-repos-ns + entrypoint: kubectl diff --git a/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml b/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml index b537acc36..e23ebf763 100644 --- a/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml +++ b/other/allowed-image-repos/.chainsaw-test/pod-bad.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: pod-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,7 +18,7 @@ spec: - name: pod-01 image: myknownimage - name: pod-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -28,7 +28,7 @@ metadata: spec: initContainers: - name: pod-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: pod-02-init image: myknownimage containers: diff --git a/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml index 7909ba6f8..bcbdf2c4a 100644 --- a/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml +++ b/other/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml @@ -18,10 +18,10 @@ spec: spec: initContainers: - name: bb-01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -43,12 +43,12 @@ spec: spec: initContainers: - name: bb01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: bb-01 image: myknownimage - name: bb-02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -66,7 +66,7 @@ spec: image: kyverno containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure --- apiVersion: batch/v1 @@ -82,7 +82,7 @@ spec: spec: initContainers: - name: bb01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: bb-01 image: kyverno diff --git a/other/allowed-image-repos/allowed-image-repos.yaml b/other/allowed-image-repos/allowed-image-repos.yaml index 825734aa3..88cfe4dfa 100644 --- a/other/allowed-image-repos/allowed-image-repos.yaml +++ b/other/allowed-image-repos/allowed-image-repos.yaml @@ -16,7 +16,7 @@ metadata: image repositories present in a given Pod, across any container type, come from the designated list. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: good-repos diff --git a/other/allowed-image-repos/artifacthub-pkg.yml b/other/allowed-image-repos/artifacthub-pkg.yml index d30bcbe2a..27a932971 100644 --- a/other/allowed-image-repos/artifacthub-pkg.yml +++ b/other/allowed-image-repos/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 3d84132172c9fc5fb1e6ec6e595f9001003790dd6d680d055016953cc0ea607d +digest: 50a89455445fbfe6a6e0b04ff5c491daa7d9b15470ebbf527e10e9387369cf9d diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml index ce8abe788..26fd44350 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -7,5 +7,5 @@ metadata: name: pod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml index fded2be92..69c177c97 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml @@ -4,5 +4,5 @@ metadata: name: pod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml index 0d3608036..9a28e7765 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml @@ -6,5 +6,5 @@ metadata: name: pod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml index b42efe886..1b591255f 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-4.yaml @@ -17,5 +17,5 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml index 000255478..21982088b 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-5.yaml @@ -17,5 +17,5 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml index fd98e77e2..f04f9a06f 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-6.yaml @@ -16,5 +16,5 @@ spec: name: ds01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: ds01 diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml index 6fa390441..fc51365cf 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-7.yaml @@ -13,6 +13,6 @@ spec: - command: - sleep - "3600" - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 name: busybox restartPolicy: Never diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml index 896f17970..ef3f8c3e7 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-8.yaml @@ -14,7 +14,7 @@ spec: - command: - sleep - "3600" - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent name: bb restartPolicy: OnFailure diff --git a/other/allowed-label-changes/.chainsaw-test/chainsaw-test.yaml b/other/allowed-label-changes/.chainsaw-test/chainsaw-test.yaml index 5a307083a..1a78b2193 100755 --- a/other/allowed-label-changes/.chainsaw-test/chainsaw-test.yaml +++ b/other/allowed-label-changes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml b/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml index 9712e5443..0032cb311 100644 --- a/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml +++ b/other/allowed-label-changes/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: allowed-label-changes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/allowed-label-changes/allowed-label-changes.yaml b/other/allowed-label-changes/allowed-label-changes.yaml index ab2d9d7cd..54ecb4c98 100644 --- a/other/allowed-label-changes/allowed-label-changes.yaml +++ b/other/allowed-label-changes/allowed-label-changes.yaml @@ -18,7 +18,7 @@ metadata: except one with the key `breakglass`. Changing, adding, or deleting any other labels is denied. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: safe-label diff --git a/other/allowed-label-changes/artifacthub-pkg.yml b/other/allowed-label-changes/artifacthub-pkg.yml index 6e6ff6cac..cc0e07050 100644 --- a/other/allowed-label-changes/artifacthub-pkg.yml +++ b/other/allowed-label-changes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod,Label" -digest: bfe02517c6edc6600d21644020d63aeaa2e762a46ef10ef4b1178b98d9602e73 +digest: 0f5a355dfc386b660a4f015b640bba3528691cdb95799ec5721ab06dbbd5afe0 diff --git a/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 6fd661a10..5bf922bad 100755 --- a/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: allowed-podpriorities status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml b/other/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml index d44e134c5..16d1214dd 100755 --- a/other/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml +++ b/other/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -14,16 +13,9 @@ spec: file: ns.yaml - apply: file: pc.yaml - - apply: - file: ../allowed-pod-priorities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: allowed-podpriorities - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../allowed-pod-priorities.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -42,3 +34,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: allowed-podpriorities diff --git a/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml b/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml index 546535346..c94fdd994 100644 --- a/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml +++ b/other/allowed-pod-priorities/.chainsaw-test/pod-bad.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: foo --- apiVersion: v1 @@ -17,5 +17,5 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: low \ No newline at end of file diff --git a/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml b/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml index 1f400b745..962082c47 100644 --- a/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml +++ b/other/allowed-pod-priorities/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: high --- apiVersion: v1 @@ -17,7 +17,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: low --- apiVersion: v1 @@ -27,7 +27,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -37,7 +37,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: foo --- apiVersion: v1 @@ -47,5 +47,5 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: low \ No newline at end of file diff --git a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml index 621eab03e..4c0ae45ee 100644 --- a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml +++ b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-bad.yaml @@ -19,7 +19,7 @@ spec: priorityClassName: foo containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -42,7 +42,7 @@ spec: priorityClassName: foo containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob diff --git a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml index 358d87979..2c3d6c0c0 100644 --- a/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml +++ b/other/allowed-pod-priorities/.chainsaw-test/podcontroller-good.yaml @@ -19,7 +19,7 @@ spec: priorityClassName: high containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -42,7 +42,7 @@ spec: priorityClassName: foo containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob diff --git a/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml b/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml index cbafc79f4..3ca64a787 100644 --- a/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml +++ b/other/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml @@ -16,13 +16,13 @@ results: - kind: CronJob policy: allowed-podpriorities resources: - - mycronjob + - hello result: pass - rule: validate-pod-priority + rule: validate-pod-priority-cronjob - kind: Pod policy: allowed-podpriorities resources: - myapp-pod result: pass - rule: validate-pod-priority + rule: validate-pod-priority-pods variables: values.yaml diff --git a/other/allowed-pod-priorities/.kyverno-test/resource.yaml b/other/allowed-pod-priorities/.kyverno-test/resource.yaml index 6e1aa5096..389e055f0 100644 --- a/other/allowed-pod-priorities/.kyverno-test/resource.yaml +++ b/other/allowed-pod-priorities/.kyverno-test/resource.yaml @@ -35,7 +35,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: - name: mycronjob + name: hello namespace: production spec: schedule: "*/1 * * * *" diff --git a/other/allowed-pod-priorities/.kyverno-test/values.yaml b/other/allowed-pod-priorities/.kyverno-test/values.yaml index b0696ce63..6dbab6e10 100644 --- a/other/allowed-pod-priorities/.kyverno-test/values.yaml +++ b/other/allowed-pod-priorities/.kyverno-test/values.yaml @@ -2,16 +2,24 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Values policies: - name: allowed-podpriorities - resources: - - name: myapp-pod + rules: + - name: validate-pod-priority-pods values: podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' request.namespace: default - - name: mydeploy + - name: validate-pod-priority values: podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' request.namespace: default - - name: mycronjob + - name: validate-pod-priority-cronjob values: podprioritydict.data.production: '["high-priority", "moderate-priority", "low-priority"]' request.namespace: production + - name: autogen-validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: autogen-cronjob-validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default diff --git a/other/allowed-pod-priorities/allowed-pod-priorities.yaml b/other/allowed-pod-priorities/allowed-pod-priorities.yaml index a27cb9f32..d8e79a14e 100644 --- a/other/allowed-pod-priorities/allowed-pod-priorities.yaml +++ b/other/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -15,10 +15,34 @@ metadata: PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-pod-priority + context: + - name: podprioritydict + configMap: + name: allowed-pod-priorities + namespace: default + match: + any: + - resources: + kinds: + - Deployment + - DaemonSet + - StatefulSet + - Job + validate: + message: >- + The Pod PriorityClass {{ request.object.spec.template.spec.priorityClassName }} is not in the list + of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. + deny: + conditions: + any: + - key: "{{ request.object.spec.template.spec.priorityClassName }}" + operator: AnyNotIn + value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' + - name: validate-pod-priority-pods context: - name: podprioritydict configMap: @@ -39,3 +63,24 @@ spec: - key: "{{ request.object.spec.priorityClassName || '' }}" operator: AnyNotIn value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' + - name: validate-pod-priority-cronjob + context: + - name: podprioritydict + configMap: + name: allowed-pod-priorities + namespace: default + match: + any: + - resources: + kinds: + - CronJob + validate: + message: >- + The Pod PriorityClass {{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }} is not in the list + of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}. + deny: + conditions: + any: + - key: "{{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }}" + operator: AnyNotIn + value: '{{ podprioritydict.data."{{request.namespace}}" || "" }}' diff --git a/other/allowed-pod-priorities/artifacthub-pkg.yml b/other/allowed-pod-priorities/artifacthub-pkg.yml index a0ba43e4b..9f01f1dcf 100644 --- a/other/allowed-pod-priorities/artifacthub-pkg.yml +++ b/other/allowed-pod-priorities/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 6a99faf88ebc4e5c6f4cddf0cea870a97313b98be402e56dc4b4fb8c3f4401ca +digest: dfee34072f20005571e9d91d5f6f34a13b0874332196641ea43e67c7da1a4a1a diff --git a/other/always-pull-images/.chainsaw-test/chainsaw-test.yaml b/other/always-pull-images/.chainsaw-test/chainsaw-test.yaml index 558afd763..cd5fa0aee 100755 --- a/other/always-pull-images/.chainsaw-test/chainsaw-test.yaml +++ b/other/always-pull-images/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/always-pull-images/.chainsaw-test/patched-pod01.yaml b/other/always-pull-images/.chainsaw-test/patched-pod01.yaml index 4e454673d..de5ba4d2a 100644 --- a/other/always-pull-images/.chainsaw-test/patched-pod01.yaml +++ b/other/always-pull-images/.chainsaw-test/patched-pod01.yaml @@ -4,6 +4,6 @@ metadata: name: pod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox imagePullPolicy: Always \ No newline at end of file diff --git a/other/always-pull-images/.chainsaw-test/patched-pod02.yaml b/other/always-pull-images/.chainsaw-test/patched-pod02.yaml index b22f7528b..f06003aa2 100644 --- a/other/always-pull-images/.chainsaw-test/patched-pod02.yaml +++ b/other/always-pull-images/.chainsaw-test/patched-pod02.yaml @@ -4,6 +4,6 @@ metadata: name: pod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox imagePullPolicy: Always \ No newline at end of file diff --git a/other/always-pull-images/.chainsaw-test/patched-pod03.yaml b/other/always-pull-images/.chainsaw-test/patched-pod03.yaml index e7c715062..f2c0fffae 100644 --- a/other/always-pull-images/.chainsaw-test/patched-pod03.yaml +++ b/other/always-pull-images/.chainsaw-test/patched-pod03.yaml @@ -4,9 +4,9 @@ metadata: name: pod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox01 imagePullPolicy: Always - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 imagePullPolicy: Always \ No newline at end of file diff --git a/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml b/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml index 45e705d07..b2fbb9b19 100644 --- a/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml +++ b/other/always-pull-images/.chainsaw-test/podcontrollers-patched.yaml @@ -17,10 +17,10 @@ spec: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: Always - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: Always --- apiVersion: batch/v1 @@ -35,9 +35,9 @@ spec: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: Always - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: Always restartPolicy: OnFailure \ No newline at end of file diff --git a/other/always-pull-images/.chainsaw-test/podcontrollers.yaml b/other/always-pull-images/.chainsaw-test/podcontrollers.yaml index dfc0cd399..a1592a737 100644 --- a/other/always-pull-images/.chainsaw-test/podcontrollers.yaml +++ b/other/always-pull-images/.chainsaw-test/podcontrollers.yaml @@ -17,10 +17,10 @@ spec: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -34,8 +34,8 @@ spec: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent restartPolicy: OnFailure \ No newline at end of file diff --git a/other/always-pull-images/.chainsaw-test/pods.yaml b/other/always-pull-images/.chainsaw-test/pods.yaml index 9acf1c838..d96ee4555 100644 --- a/other/always-pull-images/.chainsaw-test/pods.yaml +++ b/other/always-pull-images/.chainsaw-test/pods.yaml @@ -4,7 +4,7 @@ metadata: name: pod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -13,7 +13,7 @@ metadata: name: pod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox imagePullPolicy: IfNotPresent --- @@ -23,8 +23,8 @@ metadata: name: pod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox01 imagePullPolicy: IfNotPresent - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 \ No newline at end of file diff --git a/other/always-pull-images/.chainsaw-test/policy-ready.yaml b/other/always-pull-images/.chainsaw-test/policy-ready.yaml index 38b6d437c..b0054d5ad 100644 --- a/other/always-pull-images/.chainsaw-test/policy-ready.yaml +++ b/other/always-pull-images/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: always-pull-images status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/annotate-base-images/.chainsaw-test/chainsaw-test.yaml b/other/annotate-base-images/.chainsaw-test/chainsaw-test.yaml index 1a13fddb9..17bf84301 100755 --- a/other/annotate-base-images/.chainsaw-test/chainsaw-test.yaml +++ b/other/annotate-base-images/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/chainsaw-test.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/chainsaw-test.yaml index dd1f9cf4c..f8c0d78dd 100755 --- a/other/apply-pss-restricted-profile/.chainsaw-test/chainsaw-test.yaml +++ b/other/apply-pss-restricted-profile/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml index b55e1e92d..87ed4e4c1 100644 --- a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml +++ b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers-patched.yaml @@ -24,7 +24,7 @@ spec: fsGroup: 2000 containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false capabilities: @@ -32,7 +32,7 @@ spec: - ALL allowPrivilegeEscalation: false - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false capabilities: @@ -59,7 +59,7 @@ spec: fsGroup: 2000 containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false capabilities: @@ -67,7 +67,7 @@ spec: - ALL allowPrivilegeEscalation: false - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false capabilities: diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml index 127a029e3..8ef1efac9 100644 --- a/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml +++ b/other/apply-pss-restricted-profile/.chainsaw-test/podcontrollers.yaml @@ -19,11 +19,11 @@ spec: fsGroup: 1000 containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,9 +39,9 @@ spec: runAsNonRoot: false containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true restartPolicy: OnFailure \ No newline at end of file diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml index 10f5fddc6..9e1b74f07 100644 --- a/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml +++ b/other/apply-pss-restricted-profile/.chainsaw-test/pods-patched.yaml @@ -11,7 +11,7 @@ spec: runAsGroup: 3000 fsGroup: 2000 containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox securityContext: privileged: false @@ -33,7 +33,7 @@ spec: runAsGroup: 3000 fsGroup: 2000 containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox securityContext: privileged: false @@ -41,7 +41,7 @@ spec: drop: - ALL allowPrivilegeEscalation: false - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox2 securityContext: privileged: false @@ -63,7 +63,7 @@ spec: runAsGroup: 3000 fsGroup: 2000 containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox securityContext: privileged: false @@ -71,7 +71,7 @@ spec: drop: - ALL allowPrivilegeEscalation: false - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox2 securityContext: privileged: false diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml index f6eb068f0..c53ccae77 100644 --- a/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml +++ b/other/apply-pss-restricted-profile/.chainsaw-test/pods.yaml @@ -4,7 +4,7 @@ metadata: name: pod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -13,9 +13,9 @@ metadata: name: pod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox2 --- apiVersion: v1 @@ -29,9 +29,9 @@ spec: runAsGroup: 1000 fsGroup: 3000 containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox2 securityContext: privileged: true diff --git a/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml b/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml index 83db65cca..14fcc0f77 100644 --- a/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml +++ b/other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: apply-pss-restricted-profile status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/audit-event-on-delete/.chainsaw-test/chainsaw-test.yaml b/other/audit-event-on-delete/.chainsaw-test/chainsaw-test.yaml index 31e293cbd..5f9bbf985 100755 --- a/other/audit-event-on-delete/.chainsaw-test/chainsaw-test.yaml +++ b/other/audit-event-on-delete/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml b/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml index 79597ad99..ac60501ba 100644 --- a/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml +++ b/other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: audit-event-on-delete status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml b/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml index 8854bd09e..e85526195 100755 --- a/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml +++ b/other/audit-event-on-exec/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -22,22 +21,22 @@ spec: file: ns.yaml - apply: file: pod.yaml - - wait: - apiVersion: v1 - kind: Pod - name: execevent-pod - namespace: exec-event-ns - timeout: 1m - for: - condition: - name: Ready - value: 'true' - name: step-03 try: - - sleep: - duration: 5s - - script: - content: kubectl exec -n exec-event-ns execevent-pod -- ls / + - command: + args: + - "5" + entrypoint: sleep + - command: + args: + - exec + - -n + - exec-event-ns + - execevent-pod + - -- + - ls + - / + entrypoint: kubectl - name: step-04 try: - assert: diff --git a/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml b/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml index 966237f55..820c0db60 100644 --- a/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml +++ b/other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: audit-event-on-exec status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml index a93ee9bf9..f308d56aa 100644 --- a/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml +++ b/other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml index 51355f072..109559c42 100755 --- a/other/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -20,8 +19,6 @@ spec: content: | #!/bin/bash set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp export USERNAME=testuser export CA=ca.crt #### Get CA certificate from kubeconfig assuming it's the first in the list. @@ -57,43 +54,63 @@ spec: kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER # Delete CSR kubectl delete csr $USERNAME + - name: step-03 + try: - apply: file: chainsaw-step-03-apply-1.yaml + - name: step-04 + try: + - command: + args: + - create + - -f + - good-cm.yaml + entrypoint: kubectl - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl create -f good-cm.yaml - - script: - content: | - set -eu - export KUBECONFIG=./temp - if kubectl --context=testuser-context apply -f bad-cm-update.yaml; then exit 1; else exit 0; fi - - script: - content: | - set -eu - export KUBECONFIG=./temp - if kubectl --context=testuser-context delete -f good-cm.yaml; then exit 1; else exit 0; fi + content: if kubectl --context=testuser-context apply -f bad-cm-update.yaml; + then exit 1; else exit 0; fi - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl --context=testuser-context create -f good-pod.yaml + content: if kubectl --context=testuser-context delete -f good-cm.yaml; then + exit 1; else exit 0; fi + - command: + args: + - --context=testuser-context + - create + - -f + - good-pod.yaml + entrypoint: kubectl - script: - content: | - set -eu - export KUBECONFIG=./temp - if kubectl --context=testuser-context create -f bad-pod.yaml; then exit 1; else exit 0; fi + content: if kubectl --context=testuser-context create -f bad-pod.yaml; then + exit 1; else exit 0; fi + - name: step-05 + try: + - command: + args: + - config + - unset + - users.testuser + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.testuser-context + entrypoint: kubectl + - name: step-06 + try: - apply: file: good-pod-not-admin.yaml - finally: - - script: - content: kubectl delete -f good-pod.yaml --ignore-not-found - - script: - content: kubectl delete -f good-cm.yaml --ignore-not-found - - script: - content: kubectl delete -f bad-cm-update.yaml --ignore-not-found - - script: - content: | - set -e - rm ./temp + - name: step-07 + try: + - command: + args: + - delete + - -f + - good-pod.yaml + entrypoint: kubectl + - command: + args: + - delete + - -f + - good-cm.yaml + entrypoint: kubectl diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml index 9046e73b0..6425c063a 100644 --- a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml +++ b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml index 1db6a8b46..88a6148a7 100644 --- a/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml +++ b/other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml b/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml index ef1a58464..c481e85a1 100644 --- a/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml +++ b/other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: block-cluster-admin-from-ns status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 013c407f3..1a9877928 100755 --- a/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/block-ephemeral-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: block-ephemeral-containers status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml index cd7effb22..95381c3b9 100755 --- a/other/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../block-ephemeral-containers.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-ephemeral-containers - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../block-ephemeral-containers.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -45,7 +37,30 @@ spec: then exit 1; else exit 0; fi; - name: step-98 try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n block-ephemeral-ns - - script: - content: kubectl delete pods --all --force --grace-period=0 -n block-ephemeral-ns + - command: + args: + - delete + - deployments + - --all + - --force + - --grace-period=0 + - -n + - block-ephemeral-ns + entrypoint: kubectl + - command: + args: + - delete + - pods + - --all + - --force + - --grace-period=0 + - -n + - block-ephemeral-ns + entrypoint: kubectl + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: block-ephemeral-containers diff --git a/other/block-ephemeral-containers/.chainsaw-test/pod.yaml b/other/block-ephemeral-containers/.chainsaw-test/pod.yaml index 4a2489bfb..df553857f 100644 --- a/other/block-ephemeral-containers/.chainsaw-test/pod.yaml +++ b/other/block-ephemeral-containers/.chainsaw-test/pod.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] --- apiVersion: v1 @@ -17,10 +17,10 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] --- apiVersion: v1 @@ -31,15 +31,15 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] \ No newline at end of file diff --git a/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml b/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml index 002b0030b..5213371c9 100644 --- a/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml +++ b/other/block-ephemeral-containers/.chainsaw-test/podcontrollers.yaml @@ -18,8 +18,8 @@ spec: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] - name: bb2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "300"] \ No newline at end of file diff --git a/other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml b/other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 84814cb06..000000000 --- a/other/block-ephemeral-containers/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: block-ephemeral-containers -policies: -- ../block-ephemeral-containers.yaml -resources: -- resource.yaml -results: -- policy: block-ephemeral-containers - rule: block-ephemeral-containers - resources: - - goodpod01 - - goodpod02 - - goodpod03 - kind: Pod - result: pass -- policy: block-ephemeral-containers - rule: block-ephemeral-containers - resources: - - badpod01 - - badpod02 - - badpod03 - kind: Pod - result: fail diff --git a/other/block-ephemeral-containers/.kyverno-test/resource.yaml b/other/block-ephemeral-containers/.kyverno-test/resource.yaml deleted file mode 100644 index e641e696f..000000000 --- a/other/block-ephemeral-containers/.kyverno-test/resource.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - ephemeralContainers: - - name: ephcontainer01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ephemeralContainers: - - name: ephcontainer01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ephemeralContainers: - - name: ephcontainer01 - image: dummyimagename diff --git a/other/block-ephemeral-containers/artifacthub-pkg.yml b/other/block-ephemeral-containers/artifacthub-pkg.yml index 7b4cbd14c..cc77acc0c 100644 --- a/other/block-ephemeral-containers/artifacthub-pkg.yml +++ b/other/block-ephemeral-containers/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 52c16c4c34d51abea0bda3335e50c7ce5a20aefed83d702aa415c461f6f25ded +digest: a49007b59da49fb5d9551a5d9874a091036d3413dfe263924645c64d2aa9d415 diff --git a/other/block-ephemeral-containers/block-ephemeral-containers.yaml b/other/block-ephemeral-containers/block-ephemeral-containers.yaml index 52d657bb8..ee7ae46dd 100644 --- a/other/block-ephemeral-containers/block-ephemeral-containers.yaml +++ b/other/block-ephemeral-containers/block-ephemeral-containers.yaml @@ -16,7 +16,7 @@ metadata: This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: block-ephemeral-containers diff --git a/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 59a7f8589..31f374298 100755 --- a/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/block-images-with-volumes/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: block-images-with-volumes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml b/other/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml index 8b3681bb9..6b1cff570 100755 --- a/other/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../block-images-with-volumes.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-images-with-volumes - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../block-images-with-volumes.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: block-images-with-volumes diff --git a/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml b/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml index 07c3ab95c..86e5fe870 100644 --- a/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml @@ -35,5 +35,5 @@ spec: - name: busybox image: clover/volume:passbolt - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml b/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml index 9f85e6b60..8b3d1eab3 100644 --- a/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml +++ b/other/block-images-with-volumes/.chainsaw-test/pods-bad.yaml @@ -14,7 +14,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: image-vol image: clover/volume:passbolt --- @@ -27,4 +27,4 @@ spec: - name: image-vol image: clover/volume:passbolt - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml b/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml index 6b3f55eb7..89c17cf42 100644 --- a/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml +++ b/other/block-images-with-volumes/.chainsaw-test/pods-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: v1 kind: Pod @@ -14,6 +14,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 \ No newline at end of file + image: busybox:1.28 \ No newline at end of file diff --git a/other/block-images-with-volumes/artifacthub-pkg.yml b/other/block-images-with-volumes/artifacthub-pkg.yml index d09e94783..622735973 100644 --- a/other/block-images-with-volumes/artifacthub-pkg.yml +++ b/other/block-images-with-volumes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 1ef943234b2934a4286b5c988112a33c2ebae784ee67a4cff6464b373e13dbb7 +digest: 84345ccd7ae57215dd11b5248f811119d38dcb4648c749146c887ec6c7389940 diff --git a/other/block-images-with-volumes/block-images-with-volumes.yaml b/other/block-images-with-volumes/block-images-with-volumes.yaml index 601624fe3..6f536acd7 100644 --- a/other/block-images-with-volumes/block-images-with-volumes.yaml +++ b/other/block-images-with-volumes/block-images-with-volumes.yaml @@ -16,7 +16,7 @@ metadata: This may be unexpected and undesirable. This policy checks the contents of every container image and inspects them for such VOLUME statements, then blocks if found. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: block-images-with-vols match: diff --git a/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 632e42d5c..c23b57020 100755 --- a/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: block-large-images status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/block-large-images/.chainsaw-test/chainsaw-test.yaml b/other/block-large-images/.chainsaw-test/chainsaw-test.yaml index f7ae2ef02..882eb620c 100755 --- a/other/block-large-images/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-large-images/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../block-large-images.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-large-images - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../block-large-images.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: block-large-images diff --git a/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml b/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml index 638897f79..8931d8cf9 100644 --- a/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/block-large-images/.chainsaw-test/podcontrollers-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 image: nvidia/cuda:12.2.0-devel-ubi8 --- @@ -35,5 +35,5 @@ spec: - name: busybox image: nvidia/cuda:12.2.0-devel-ubi8 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml b/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml index 9b951e23e..b1c48e35e 100644 --- a/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml +++ b/other/block-large-images/.chainsaw-test/podcontrollers-good.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -33,7 +33,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/block-large-images/.chainsaw-test/pods-bad.yaml b/other/block-large-images/.chainsaw-test/pods-bad.yaml index 67de571ea..c1d8e8a66 100644 --- a/other/block-large-images/.chainsaw-test/pods-bad.yaml +++ b/other/block-large-images/.chainsaw-test/pods-bad.yaml @@ -14,7 +14,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: image-vol image: nvidia/cuda:12.2.0-devel-ubi8 --- @@ -27,4 +27,4 @@ spec: - name: image-vol image: nvidia/cuda:12.2.0-devel-ubi8 - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/block-large-images/.chainsaw-test/pods-good.yaml b/other/block-large-images/.chainsaw-test/pods-good.yaml index 6b3f55eb7..89c17cf42 100644 --- a/other/block-large-images/.chainsaw-test/pods-good.yaml +++ b/other/block-large-images/.chainsaw-test/pods-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: v1 kind: Pod @@ -14,6 +14,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 \ No newline at end of file + image: busybox:1.28 \ No newline at end of file diff --git a/other/block-large-images/artifacthub-pkg.yml b/other/block-large-images/artifacthub-pkg.yml index 90ab6ed3f..5f5744e98 100644 --- a/other/block-large-images/artifacthub-pkg.yml +++ b/other/block-large-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 5f8b58b4ceb1c07f957c865ae462be2f008d32cd230e196ba82cf8de048ffacd +digest: 3137003b33b29c736e18da96eba3c14b707a825053684304fe8a1f68c3fb7b03 diff --git a/other/block-large-images/block-large-images.yaml b/other/block-large-images/block-large-images.yaml index 1356b10a7..b98c6e055 100644 --- a/other/block-large-images/block-large-images.yaml +++ b/other/block-large-images/block-large-images.yaml @@ -16,7 +16,7 @@ metadata: name an image which is unusually large to disrupt operations. This policy checks the size of every container image and blocks if it is over 2 Gibibytes. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: block-over-twogi match: diff --git a/other/block-pod-exec-by-namespace-label/.chainsaw-test/chainsaw-test.yaml b/other/block-pod-exec-by-namespace-label/.chainsaw-test/chainsaw-test.yaml index d88549e5c..743a08036 100755 --- a/other/block-pod-exec-by-namespace-label/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-pod-exec-by-namespace-label/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -22,8 +21,10 @@ spec: file: podcontrollers.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-04 try: - script: @@ -32,25 +33,99 @@ spec: - script: content: if kubectl exec -n pod-exec-label-ns02 deploy/deployment02 -- ls; then exit 1;else exit 0; fi - - script: - content: kubectl exec -n pod-exec-label-ns01 pod01 -- ls - - script: - content: kubectl exec -n pod-exec-label-ns03 pod03 -- ls - - script: - content: kubectl exec -n pod-exec-label-ns04 pod04 -- ls - - script: - content: kubectl exec -n pod-exec-label-ns01 deploy/deployment01 -- ls - - script: - content: kubectl exec -n pod-exec-label-ns03 deploy/deployment03 -- ls - - script: - content: kubectl exec -n pod-exec-label-ns04 deploy/deployment04 -- ls + - command: + args: + - exec + - -n + - pod-exec-label-ns01 + - pod01 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - pod-exec-label-ns03 + - pod03 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - pod-exec-label-ns04 + - pod04 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - pod-exec-label-ns01 + - deploy/deployment01 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - pod-exec-label-ns03 + - deploy/deployment03 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - pod-exec-label-ns04 + - deploy/deployment04 + - -- + - ls + entrypoint: kubectl - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n pod-exec-label-ns01 - - script: - content: kubectl delete all --all --force --grace-period=0 -n pod-exec-label-ns02 - - script: - content: kubectl delete all --all --force --grace-period=0 -n pod-exec-label-ns03 - - script: - content: kubectl delete all --all --force --grace-period=0 -n pod-exec-label-ns04 + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - pod-exec-label-ns01 + entrypoint: kubectl + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - pod-exec-label-ns02 + entrypoint: kubectl + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - pod-exec-label-ns03 + entrypoint: kubectl + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - pod-exec-label-ns04 + entrypoint: kubectl diff --git a/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml index d959413be..f94b296f1 100644 --- a/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml +++ b/other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: deny-exec-by-namespace-label status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml b/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml index 38d2d9e55..0fcb94939 100644 --- a/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml +++ b/other/block-pod-exec-by-namespace-label/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 42e3e71f24b9acd8ea08921b9ff1fc3514c34152d0c004366a1ad057e2aa0c45 +digest: 4a0a8217b5a4923004c7eb8f38dfddc34e0a8afaaf58620dd71c3ef6816ef6d4 diff --git a/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml b/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml index 7ed82191a..817b8fafe 100644 --- a/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml +++ b/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml @@ -12,7 +12,7 @@ metadata: be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands based upon a Namespace label `exec=false`. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: deny-exec-by-ns-label diff --git a/other/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml b/other/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml index 45f6044cb..1c504a2f8 100755 --- a/other/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -22,8 +21,10 @@ spec: file: podcontrollers.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-04 try: - script: @@ -31,17 +32,63 @@ spec: - script: content: if kubectl exec -n pci deploy/deployment01 -- ls; then exit 1;else exit 0; fi - - script: - content: kubectl exec -n block-pod-exec-ns pod01 -- ls - - script: - content: kubectl exec -n block-pod-exec-ns deploy/deployment02 -- ls + - command: + args: + - exec + - -n + - block-pod-exec-ns + - pod01 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - block-pod-exec-ns + - deploy/deployment02 + - -- + - ls + entrypoint: kubectl - name: step-99 try: - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n pci - - script: - content: kubectl delete deployments --all --force --grace-period=0 -n block-pod-exec-ns - - script: - content: kubectl delete pods --all --force --grace-period=0 -n pci - - script: - content: kubectl delete pods --all --force --grace-period=0 -n block-pod-exec-ns + - command: + args: + - delete + - deployments + - --all + - --force + - --grace-period=0 + - -n + - pci + entrypoint: kubectl + - command: + args: + - delete + - deployments + - --all + - --force + - --grace-period=0 + - -n + - block-pod-exec-ns + entrypoint: kubectl + - command: + args: + - delete + - pods + - --all + - --force + - --grace-period=0 + - -n + - pci + entrypoint: kubectl + - command: + args: + - delete + - pods + - --all + - --force + - --grace-period=0 + - -n + - block-pod-exec-ns + entrypoint: kubectl diff --git a/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml index 60cf18c47..43a9ab178 100644 --- a/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml +++ b/other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: deny-exec-by-namespace-name status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-pod-exec-by-namespace/artifacthub-pkg.yml b/other/block-pod-exec-by-namespace/artifacthub-pkg.yml index 1619977ff..c59bcab16 100644 --- a/other/block-pod-exec-by-namespace/artifacthub-pkg.yml +++ b/other/block-pod-exec-by-namespace/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: d8fe4385e39be140e0e0f6824f81ce932b1539446773919882b46b8ee1f0fab2 +digest: e5bc1f4228898b0f0c176d2e8a612a2782033db79f2a617c5a9cc0884fcfbd0b diff --git a/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml b/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml index cdf57012f..80c84ff81 100644 --- a/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml +++ b/other/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml @@ -12,7 +12,7 @@ metadata: be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: deny-exec-ns-pci diff --git a/other/block-pod-exec-by-pod-and-container/.chainsaw-test/chainsaw-test.yaml b/other/block-pod-exec-by-pod-and-container/.chainsaw-test/chainsaw-test.yaml index cdecee5bb..a1ca64ffd 100755 --- a/other/block-pod-exec-by-pod-and-container/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-pod-exec-by-pod-and-container/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -24,20 +23,57 @@ spec: file: chainsaw-step-02-apply-4.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-04 try: - script: content: if kubectl exec -n bpe-podcontainer-ns myapp-maintenance-01 --container nginx -- ls; then exit 1;else exit 0; fi - - script: - content: kubectl exec -n bpe-podcontainer-ns myapp-maintenance-01 --container busybox -- ls - - script: - content: kubectl exec -n bpe-podcontainer-ns myapp-maintenance-02 --container busybox -- ls - - script: - content: kubectl exec -n bpe-podcontainer-ns not-myapp --container nginx -- ls + - command: + args: + - exec + - -n + - bpe-podcontainer-ns + - myapp-maintenance-01 + - --container + - busybox + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - bpe-podcontainer-ns + - myapp-maintenance-02 + - --container + - busybox + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - bpe-podcontainer-ns + - not-myapp + - --container + - nginx + - -- + - ls + entrypoint: kubectl - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n bpe-podcontainer-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - bpe-podcontainer-ns + entrypoint: kubectl diff --git a/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml index 37ff8f0dd..700808252 100644 --- a/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml +++ b/other/block-pod-exec-by-pod-and-container/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: deny-exec-by-pod-and-container status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml b/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml index e0331afbd..413a8cf44 100644 --- a/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml +++ b/other/block-pod-exec-by-pod-and-container/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 9e8a4ce92d97bddbbc34c10c2a49c880d4e9b937ad56ecfac4f08cd4f3ea1ade +digest: 1048fd82ed830de348ac051163b8fba03d10fd25fe7f9987118b7cdbc0facd54 diff --git a/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml b/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml index e70bb0ce1..6738b254d 100644 --- a/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml +++ b/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml @@ -13,7 +13,7 @@ metadata: This policy blocks Pod exec commands to containers named `nginx` in Pods starting with name `myapp-maintenance`. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: deny-nginx-exec-in-myapp-maintenance diff --git a/other/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml b/other/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml index e29738e7b..3e34b7d89 100755 --- a/other/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -20,20 +19,51 @@ spec: file: pods.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-04 try: - script: content: if kubectl exec -n bpe-podlabel-ns pod03 -- ls; then exit 1;else exit 0; fi - - script: - content: kubectl exec -n bpe-podlabel-ns pod01 -- ls - - script: - content: kubectl exec -n bpe-podlabel-ns pod02 -- ls - - script: - content: kubectl exec -n bpe-podlabel-ns pod04 -- ls + - command: + args: + - exec + - -n + - bpe-podlabel-ns + - pod01 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - bpe-podlabel-ns + - pod02 + - -- + - ls + entrypoint: kubectl + - command: + args: + - exec + - -n + - bpe-podlabel-ns + - pod04 + - -- + - ls + entrypoint: kubectl - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n bpe-podlabel-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - bpe-podlabel-ns + entrypoint: kubectl diff --git a/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml index 29794ca53..2f10f9132 100644 --- a/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml +++ b/other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: deny-exec-by-pod-label status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml b/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml index 574c28a9b..6443dce89 100644 --- a/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml +++ b/other/block-pod-exec-by-pod-label/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 6e9f45cd3984e3cfc7a1853b123a61126590113026683a2494c27e0fe0ae8b64 +digest: 10965102115219f1940c22476ac3e4cba1f0dd5b5f20deafd1b052357260345c diff --git a/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml b/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml index d4902899c..26b50faad 100644 --- a/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml +++ b/other/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml @@ -12,7 +12,7 @@ metadata: be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods having the label `exec=false`. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: deny-exec-by-label diff --git a/other/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml b/other/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml index 283f29656..d4cb617e7 100755 --- a/other/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -24,8 +23,10 @@ spec: file: chainsaw-step-02-apply-4.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-04 try: - script: @@ -38,5 +39,13 @@ spec: content: kubectl exec -n bpe-podname-ns not-myapp -- ls - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n bpe-podname-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - bpe-podname-ns + entrypoint: kubectl diff --git a/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml b/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml index 6553e1348..c3e624930 100644 --- a/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml +++ b/other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: deny-exec-by-pod-name status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml b/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml index f03dfc086..8e409455f 100644 --- a/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml +++ b/other/block-pod-exec-by-pod-name/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 8827b6bd6cfd2a17c73ca53607abfcb82d380c26e16ce2a820ec8bbe68571894 +digest: 16a9d3492e57968705fed46c1c67b401921aa8f5257c223ad0b94fe566f47939 diff --git a/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml b/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml index 94cd787d7..b3e47e811 100644 --- a/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml +++ b/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml @@ -13,7 +13,7 @@ metadata: This policy blocks Pod exec commands to Pods beginning with the name `myapp-maintenance-`. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: deny-exec-myapp-maintenance diff --git a/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml index d7383e71d..a94cb88bd 100755 --- a/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: block-stale-images status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml b/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml index 1e64a891e..8c840de79 100755 --- a/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-stale-images/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../block-stale-images.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-stale-images - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../block-stale-images.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -40,13 +32,37 @@ spec: file: podcontrollers-bad.yaml - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n block-staleimg-ns - - script: - content: kubectl delete cpol block-stale-images - - sleep: - duration: 5s - - script: - content: kubectl delete all --all --force --grace-period=0 -n block-staleimg-ns - - sleep: - duration: 5s \ No newline at end of file + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - block-staleimg-ns + entrypoint: kubectl + - command: + args: + - delete + - cpol + - block-stale-images + entrypoint: kubectl + - command: + args: + - "10" + entrypoint: sleep + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - block-staleimg-ns + entrypoint: kubectl + - command: + args: + - "10" + entrypoint: sleep diff --git a/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml b/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml index 11cce09b2..f18af6e2d 100644 --- a/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/block-stale-images/.chainsaw-test/podcontrollers-bad.yaml @@ -18,9 +18,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: batch/v1 kind: CronJob @@ -35,7 +35,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest restartPolicy: OnFailure \ No newline at end of file diff --git a/other/block-stale-images/.chainsaw-test/podcontrollers-good.yaml b/other/block-stale-images/.chainsaw-test/podcontrollers-good.yaml index a240ec1a9..5a06a47b8 100644 --- a/other/block-stale-images/.chainsaw-test/podcontrollers-good.yaml +++ b/other/block-stale-images/.chainsaw-test/podcontrollers-good.yaml @@ -17,10 +17,10 @@ spec: app: busybox spec: containers: - - name: kyverno - image: ghcr.io/kyverno/kyverno:latest - - name: kyverno02 - image: ghcr.io/kyverno/kyverno:latest + - name: busybox + image: busybox:latest + - name: busybox02 + image: busybox:latest --- apiVersion: batch/v1 kind: CronJob @@ -34,8 +34,8 @@ spec: template: spec: containers: - - name: kyverno - image: ghcr.io/kyverno/kyverno:latest - - name: kyverno02 - image: ghcr.io/kyverno/kyverno:latest + - name: busybox + image: busybox:latest + - name: busybox02 + image: busybox:latest restartPolicy: OnFailure \ No newline at end of file diff --git a/other/block-stale-images/.chainsaw-test/pods-bad.yaml b/other/block-stale-images/.chainsaw-test/pods-bad.yaml index 58046dc18..849b0e427 100644 --- a/other/block-stale-images/.chainsaw-test/pods-bad.yaml +++ b/other/block-stale-images/.chainsaw-test/pods-bad.yaml @@ -6,9 +6,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: v1 kind: Pod @@ -18,7 +18,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: v1 kind: Pod @@ -28,6 +28,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:latest \ No newline at end of file + image: busybox:latest \ No newline at end of file diff --git a/other/block-stale-images/.chainsaw-test/pods-good.yaml b/other/block-stale-images/.chainsaw-test/pods-good.yaml index 3887692be..69d3f012b 100644 --- a/other/block-stale-images/.chainsaw-test/pods-good.yaml +++ b/other/block-stale-images/.chainsaw-test/pods-good.yaml @@ -5,10 +5,10 @@ metadata: namespace: block-staleimg-ns spec: containers: - - name: kyverno - image: kyverno:latest - - name: kyverno02 - image: ghcr.io/kyverno/kyverno:latest + - name: busybox + image: busybox:latest + - name: busybox02 + image: busybox:latest --- apiVersion: v1 kind: Pod @@ -17,5 +17,5 @@ metadata: namespace: block-staleimg-ns spec: containers: - - name: kyverno - image: ghcr.io/kyverno/kyverno:latest \ No newline at end of file + - name: busybox + image: busybox:latest \ No newline at end of file diff --git a/other/block-stale-images/artifacthub-pkg.yml b/other/block-stale-images/artifacthub-pkg.yml index bb0b53084..396c28038 100644 --- a/other/block-stale-images/artifacthub-pkg.yml +++ b/other/block-stale-images/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 4c840db89d0d4d8d79c3ef120d319a93d62638f3e6c82ccbdf863b4f3d60b7aa +digest: 8e0fab0441480492ab506e9401eda165e86156c63b8768953386dffe7a0efc6b diff --git a/other/block-stale-images/block-stale-images.yaml b/other/block-stale-images/block-stale-images.yaml index 2ab83948a..6aea5cebd 100644 --- a/other/block-stale-images/block-stale-images.yaml +++ b/other/block-stale-images/block-stale-images.yaml @@ -15,7 +15,7 @@ metadata: This policy checks the contents of every container image and inspects them for the create time. If it finds any image which was built more than 6 months ago this policy blocks the deployment. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: block-stale-images match: diff --git a/other/block-updates-deletes/.chainsaw-test/chainsaw-test.yaml b/other/block-updates-deletes/.chainsaw-test/chainsaw-test.yaml index f655c31a0..cf78a826f 100755 --- a/other/block-updates-deletes/.chainsaw-test/chainsaw-test.yaml +++ b/other/block-updates-deletes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -20,8 +19,6 @@ spec: content: | #!/bin/bash set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp export USERNAME=blocksvcuser export CA=ca.crt #### Get CA certificate from kubeconfig assuming it's the first in the list. @@ -57,47 +54,74 @@ spec: kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER # Delete CSR kubectl delete csr $USERNAME + - name: step-03 + try: - apply: file: chainsaw-step-03-apply-1.yaml - apply: file: chainsaw-step-03-apply-2.yaml + - name: step-04 + try: + - command: + args: + - create + - --context=blocksvcuser-context + - -n + - block-updates-deletes-ns + - -f + - svc.yaml + entrypoint: kubectl + - command: + args: + - apply + - --context=blocksvcuser-context + - -n + - block-updates-deletes-ns + - -f + - svc-good-update.yaml + entrypoint: kubectl - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl create --context=blocksvcuser-context -n block-updates-deletes-ns -f svc.yaml - - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl apply --context=blocksvcuser-context -n block-updates-deletes-ns -f svc-good-update.yaml - - script: - content: | - set -eu - export KUBECONFIG=./temp - if kubectl apply --context=blocksvcuser-context -n block-updates-deletes-ns -f svc-bad-update.yaml; then exit 1; else exit 0; fi - - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl apply -n block-updates-deletes-ns -f svc-bad-update.yaml - - script: - content: | - set -eu - export KUBECONFIG=./temp - if kubectl delete svc --context=blocksvcuser-context -n block-updates-deletes-ns svc02; then exit 1; else exit 0; fi - - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl delete svc --context=blocksvcuser-context -n block-updates-deletes-ns svc01 - finally: - - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl delete svc -n block-updates-deletes-ns svc02 --ignore-not-found + content: if kubectl apply --context=blocksvcuser-context -n block-updates-deletes-ns + -f svc-bad-update.yaml; then exit 1; else exit 0; fi + - command: + args: + - delete + - svc + - --context=blocksvcuser-context + - -n + - block-updates-deletes-ns + - svc01 + entrypoint: kubectl - script: - content: | - set -e - rm ./temp + content: if kubectl delete svc --context=blocksvcuser-context -n block-updates-deletes-ns + svc02; then exit 1; else exit 0; fi + - command: + args: + - apply + - -n + - block-updates-deletes-ns + - -f + - svc-bad-update.yaml + entrypoint: kubectl + - command: + args: + - delete + - svc + - -n + - block-updates-deletes-ns + - svc02 + entrypoint: kubectl + - name: step-05 + try: + - command: + args: + - config + - unset + - users.blocksvcuser + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.blocksvcuser-context + entrypoint: kubectl diff --git a/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml b/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml index 9baf158d7..ae138f061 100644 --- a/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml +++ b/other/block-updates-deletes/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: block-updates-deletes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/block-updates-deletes/artifacthub-pkg.yml b/other/block-updates-deletes/artifacthub-pkg.yml index 4e14a401b..aba9a6e45 100644 --- a/other/block-updates-deletes/artifacthub-pkg.yml +++ b/other/block-updates-deletes/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "null" kyverno/subject: "RBAC" -digest: 35f27980f157cbc9575162c934a0af1a5957f982d9a9996dd6031582a269c244 +digest: d53b77cab7e2dfe835323faa1124221ab793a2b7f39941c4302a545bafd2f0aa diff --git a/other/block-updates-deletes/block-updates-deletes.yaml b/other/block-updates-deletes/block-updates-deletes.yaml index 1b63055c8..6c2819bb5 100644 --- a/other/block-updates-deletes/block-updates-deletes.yaml +++ b/other/block-updates-deletes/block-updates-deletes.yaml @@ -13,7 +13,7 @@ metadata: Service resource that contains the label `protected=true` unless by a cluster-admin. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: block-updates-deletes diff --git a/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 51af7f041..a1a66e266 100755 --- a/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: check-env-vars status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/check-env-vars/.chainsaw-test/chainsaw-test.yaml b/other/check-env-vars/.chainsaw-test/chainsaw-test.yaml index 81223c1fa..46d729c31 100755 --- a/other/check-env-vars/.chainsaw-test/chainsaw-test.yaml +++ b/other/check-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../check-env-vars.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-env-vars - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../check-env-vars.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-env-vars diff --git a/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml index 9f5f213d8..6b1056a69 100644 --- a/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/check-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -17,14 +17,14 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: DISABLE_OPA value: "true" - name: foo value: bar - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: foo value: bar @@ -43,14 +43,14 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: DISABLE_OPA value: "true" - name: foo value: bar - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: foo value: bar diff --git a/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml index e95250b7c..91e7d8b6e 100644 --- a/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml +++ b/other/check-env-vars/.chainsaw-test/podcontrollers-good.yaml @@ -17,14 +17,14 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: DISABLE_OPA value: "false" - name: foo value: bar - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: foo value: bar @@ -43,14 +43,14 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: DISABLE_OPA value: "false" - name: foo value: bar - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: foo value: bar diff --git a/other/check-env-vars/.chainsaw-test/pods-bad.yaml b/other/check-env-vars/.chainsaw-test/pods-bad.yaml index e66310e39..6712da27d 100644 --- a/other/check-env-vars/.chainsaw-test/pods-bad.yaml +++ b/other/check-env-vars/.chainsaw-test/pods-bad.yaml @@ -6,7 +6,7 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: DISABLE_OPA @@ -20,14 +20,14 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: foo value: bar - name: DISABLE_OPA value: "true" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: DISABLE_OPA @@ -43,12 +43,12 @@ metadata: name: badpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: foo value: bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: foo @@ -64,9 +64,9 @@ metadata: name: badpod04 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: DISABLE_OPA @@ -80,12 +80,12 @@ metadata: name: badpod05 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: DISABLE_OPA value: "false" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: DISABLE_OPA diff --git a/other/check-env-vars/.chainsaw-test/pods-good.yaml b/other/check-env-vars/.chainsaw-test/pods-good.yaml index cad997a5f..0fe74a3b0 100644 --- a/other/check-env-vars/.chainsaw-test/pods-good.yaml +++ b/other/check-env-vars/.chainsaw-test/pods-good.yaml @@ -6,7 +6,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: DISABLE_OPA @@ -20,14 +20,14 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: foo value: bar - name: DISABLE_OPA value: "false" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: foo @@ -41,7 +41,7 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 \ No newline at end of file diff --git a/other/check-env-vars/artifacthub-pkg.yml b/other/check-env-vars/artifacthub-pkg.yml index 2f20ce57d..39e1edba3 100644 --- a/other/check-env-vars/artifacthub-pkg.yml +++ b/other/check-env-vars/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: a7841d0a5e766115e334aac9a90116bb228a7bcdc34ae12b56ac48cfbe833830 +digest: a3bb61fb5b7cc8a92a9c8522432cb2ca580e0ee9dd5fcf58bfb50da0577691de diff --git a/other/check-env-vars/check-env-vars.yaml b/other/check-env-vars/check-env-vars.yaml index ab34491a2..773e78d8b 100644 --- a/other/check-env-vars/check-env-vars.yaml +++ b/other/check-env-vars/check-env-vars.yaml @@ -17,7 +17,7 @@ metadata: `DISABLE_OPA` environment variable is defined, it must not be set to a value of `"true"`. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-disable-opa match: diff --git a/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index f54312fbc..000000000 --- a/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-hpa-exists -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml b/other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 598d6c7a8..000000000 --- a/other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-hpa-exists -spec: - steps: - - name: step-01 - try: - - apply: - file: ../check-hpa-exists.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-hpa-exists - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: hpa.yaml - - apply: - file: deployment-with-hpa-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: deployment-without-hpa-bad.yaml diff --git a/other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml b/other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml deleted file mode 100644 index aba909034..000000000 --- a/other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: deployment-uses-hpa - labels: - app: httpd-app -spec: - replicas: 1 - selector: - matchLabels: - app: httpd-app - template: - metadata: - labels: - app: httpd-app - spec: - containers: - - name: httpd-container - image: httpd:latest - ports: - - containerPort: 80 - resources: - requests: - cpu: "10m" - memory: "12Mi" - limits: - cpu: "25m" - memory: "25Mi" diff --git a/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml b/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml deleted file mode 100644 index 776d8a4c9..000000000 --- a/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: deployment-without-hpa - labels: - app: app-without-hpa -spec: - replicas: 1 - selector: - matchLabels: - app: app-without-hpa - template: - metadata: - labels: - app: app-without-hpa - spec: - containers: - - name: nginx-container - image: ghcr.io/kyverno/test-nginx:latest - ports: - - containerPort: 80 - resources: - requests: - cpu: "10m" - memory: "12Mi" - limits: - cpu: "25m" - memory: "25Mi" diff --git a/other/check-hpa-exists/.chainsaw-test/hpa.yaml b/other/check-hpa-exists/.chainsaw-test/hpa.yaml deleted file mode 100644 index 29cfff2b5..000000000 --- a/other/check-hpa-exists/.chainsaw-test/hpa.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: httpd-deployment -spec: - maxReplicas: 3 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: deployment-uses-hpa diff --git a/other/check-hpa-exists/artifacthub-pkg.yml b/other/check-hpa-exists/artifacthub-pkg.yml deleted file mode 100644 index e097f6f1c..000000000 --- a/other/check-hpa-exists/artifacthub-pkg.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: check-hpa-exists -version: 1.0.0 -displayName: Ensure HPA for Deployments -createdAt: "2024-07-19T13:02:58Z" -description: >- - This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the resource and denies the creation or update of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-hpa-exists/check-hpa-exists.yaml - ``` -keywords: - - kyverno - - Other -readme: | - This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the resource and denies the creation or update of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.28" - kyverno/subject: "Deployment,ReplicaSet,StatefulSet,DaemonSet" -digest: 4b4c29dcaa05ad8967b2d1707c882aca05e622be135dff2e5c0c2decce3047c8 diff --git a/other/check-hpa-exists/check-hpa-exists.yaml b/other/check-hpa-exists/check-hpa-exists.yaml deleted file mode 100644 index 58d8eb274..000000000 --- a/other/check-hpa-exists/check-hpa-exists.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-hpa-exists - annotations: - policies.kyverno.io/title: Ensure HPA for Deployments - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.28" - policies.kyverno.io/subject: Deployment,ReplicaSet,StatefulSet,DaemonSet - policies.kyverno.io/description: >- - This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed - if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. - The policy checks for the presence of an HPA that targets the resource and denies the creation or update - of the resource if no such HPA exists. This policy helps enforce scaling practices - and ensures that resources are managed efficiently. -spec: - validationFailureAction: Audit - background: true - rules: - - name: validate-hpa - match: - any: - - resources: - kinds: - - Deployment - - ReplicaSet - - StatefulSet - - DaemonSet - context: - - name: hpas - apiCall: - urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers" - jmesPath: "items[].spec.scaleTargetRef.name" - validate: - message: "Deployment is not allowed without a corresponding HPA." - deny: - conditions: - all: - - key: "{{ request.object.metadata.name }}" - operator: AnyNotIn - value: "{{ hpas }}" diff --git a/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml index 722db3d46..7d4297f14 100644 --- a/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ b/other/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Node" -digest: bbf47fbd4304d3778e87368f925a15eb4d76caf2b29b0223236b05a55f2be57c +digest: ff64c6f2754226a75b84e88862af65ecc49ebad50cabd601687fd5770003f36a diff --git a/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml index 64107d290..a0a287a5e 100644 --- a/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ b/other/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -17,7 +17,7 @@ metadata: This policy runs in background mode and flags an entry in the ClusterPolicyReport if any Node is reporting one of the affected kernel versions. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: kernel-validate diff --git a/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 45328ac8c..1373f8e29 100755 --- a/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: check-nvidia-gpus status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/check-nvidia-gpu/.chainsaw-test/chainsaw-test.yaml b/other/check-nvidia-gpu/.chainsaw-test/chainsaw-test.yaml index e84acd4e3..0d65ef8d2 100755 --- a/other/check-nvidia-gpu/.chainsaw-test/chainsaw-test.yaml +++ b/other/check-nvidia-gpu/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../check-nvidia-gpu.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-nvidia-gpus - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../check-nvidia-gpu.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -40,5 +32,18 @@ spec: file: podcontrollers-bad.yaml - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n nvidia-gpu-ns + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-nvidia-gpus + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - nvidia-gpu-ns + entrypoint: kubectl diff --git a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml index e2930b584..c0ac499fe 100644 --- a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-bad.yaml @@ -17,7 +17,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: @@ -50,7 +50,7 @@ spec: limits: cpu: "0.5" nvidia.com/gpu: 1 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: diff --git a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml index 1d65a3048..ccf376b91 100644 --- a/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml +++ b/other/check-nvidia-gpu/.chainsaw-test/podcontrollers-good.yaml @@ -24,7 +24,7 @@ spec: limits: cpu: "0.5" nvidia.com/gpu: 1 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: batch/v1 @@ -39,7 +39,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - name: cuda image: nvidia/cuda:12.2.0-devel-ubi8 diff --git a/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml b/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml index 86862cb2d..64b83fad3 100644 --- a/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml +++ b/other/check-nvidia-gpu/.chainsaw-test/pods-bad.yaml @@ -7,7 +7,7 @@ metadata: namespace: nvidia-gpu-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: @@ -23,7 +23,7 @@ metadata: namespace: nvidia-gpu-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: diff --git a/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml b/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml index b20bbc4aa..84b2e027a 100644 --- a/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml +++ b/other/check-nvidia-gpu/.chainsaw-test/pods-good.yaml @@ -20,7 +20,7 @@ metadata: namespace: nvidia-gpu-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: @@ -42,5 +42,5 @@ spec: resources: limits: nvidia.com/gpu: 0 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 \ No newline at end of file diff --git a/other/check-nvidia-gpu/artifacthub-pkg.yml b/other/check-nvidia-gpu/artifacthub-pkg.yml index d1102c4f7..810b6637c 100644 --- a/other/check-nvidia-gpu/artifacthub-pkg.yml +++ b/other/check-nvidia-gpu/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: bb7ad48deb4c3ed80a5e249a0406ab063fa1e01f181ecf67c6255212887bc541 +digest: e5286892d05b3b220ed0b9d8cad3ae4c50e2d394678758e3137661ab8c8b5648 diff --git a/other/check-nvidia-gpu/check-nvidia-gpu.yaml b/other/check-nvidia-gpu/check-nvidia-gpu.yaml index be91959cd..c44194f96 100644 --- a/other/check-nvidia-gpu/check-nvidia-gpu.yaml +++ b/other/check-nvidia-gpu/check-nvidia-gpu.yaml @@ -17,7 +17,7 @@ metadata: request a GPU to ensure they have been authored with this environment variable. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-nvidia-gpus match: diff --git a/other/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml b/other/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml deleted file mode 100644 index a88b34090..000000000 --- a/other/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bad-svc-account-02 - namespace: default -secrets: - - name: example-automated-thing-token-zyxwv \ No newline at end of file diff --git a/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100644 index 42d9fcf36..000000000 --- a/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-serviceaccount-secrets -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml b/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 7302d879d..000000000 --- a/other/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-service-accounts -spec: - steps: - - name: step-01 - try: - - script: - content: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../check-serviceaccount-secrets.yaml | kubectl create -f - - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: good-svc-account.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-svc-account.yaml - - name: step-99 - try: - - delete: - ref: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: check-serviceaccount-secrets \ No newline at end of file diff --git a/other/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml b/other/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml deleted file mode 100644 index 72fe039cf..000000000 --- a/other/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: good-svc-account - namespace: default diff --git a/other/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml b/other/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f2438227d..000000000 --- a/other/check-serviceaccount-secrets/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: svc-name -policies: -- ../check-serviceaccount-secrets.yaml -resources: -- resource.yaml -results: -- kind: ServiceAccount - policy: check-serviceaccount-secrets - resources: - - bad-svc-account - result: fail - rule: deny-secrets -- kind: ServiceAccount - policy: check-serviceaccount-secrets - resources: - - good-svc-account - result: pass - rule: deny-secrets \ No newline at end of file diff --git a/other/check-serviceaccount-secrets/.kyverno-test/resource.yaml b/other/check-serviceaccount-secrets/.kyverno-test/resource.yaml deleted file mode 100644 index e2d53b0dc..000000000 --- a/other/check-serviceaccount-secrets/.kyverno-test/resource.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: bad-svc-account - namespace: default -secrets: - - name: build-robot-secret ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: good-svc-account - namespace: default - diff --git a/other/check-serviceaccount-secrets/artifacthub-pkg.yaml b/other/check-serviceaccount-secrets/artifacthub-pkg.yaml deleted file mode 100644 index 1913f5a68..000000000 --- a/other/check-serviceaccount-secrets/artifacthub-pkg.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: check-serviceaccount-secrets -version: 1.0.0 -displayName: Check Existence of Secrets in ServiceAccount -createdAt: "2024-03-02T06:14:33.000Z" -description: >- - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. To distinguish between automatically generated tokens - and manually created ones, Kubernetes checks for a reference from the - ServiceAccount's secrets field. If the Secret is referenced in the secrets - field, it is considered an auto-generated legacy token. These legacy Tokens can - be of security concern and should be audited. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml - ``` -keywords: - - kyverno - - Sample -readme: | - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. To distinguish between automatically generated tokens - and manually created ones, Kubernetes checks for a reference from the - ServiceAccount's secrets field. If the Secret is referenced in the secrets - field, it is considered an auto-generated legacy token. These legacy Tokens can - be of security concern and should be audited. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Security" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Secret,ServiceAccount" -digest: 43f9a02f3d13e172bbd0a24cae3747184c407f7df2b777247625906e851eff7e diff --git a/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml deleted file mode 100644 index 6459a0f3a..000000000 --- a/other/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-serviceaccount-secrets - annotations: - policies.kyverno.io/title: Check Long-Lived Secrets in ServiceAccounts - policies.kyverno.io/category: Security - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.1 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: Secret,ServiceAccount - policies.kyverno.io/description: >- - Before version 1.24, Kubernetes automatically generated Secret-based tokens - for ServiceAccounts. To distinguish between automatically generated tokens - and manually created ones, Kubernetes checks for a reference from the - ServiceAccount's secrets field. If the Secret is referenced in the secrets - field, it is considered an auto-generated legacy token. These legacy Tokens can - be of security concern and should be audited. -spec: - validationFailureAction: Audit - background: true - rules: - - name: deny-secrets - match: - any: - - resources: - kinds: - - ServiceAccount - validate: - message: "Long-lived API tokens are not allowed." - pattern: - X(secrets): \ No newline at end of file diff --git a/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 814fe5ce5..44e651654 100755 --- a/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: check-sa status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/check-serviceaccount/.chainsaw-test/chainsaw-test.yaml b/other/check-serviceaccount/.chainsaw-test/chainsaw-test.yaml index e2b694e61..64e54e7bf 100755 --- a/other/check-serviceaccount/.chainsaw-test/chainsaw-test.yaml +++ b/other/check-serviceaccount/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../check-serviceaccount.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-sa - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../check-serviceaccount.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -44,7 +36,7 @@ spec: # Setting up the SA user export TOKEN_SA=`kubectl get secret safe-secret -n check-sa-ns -ojsonpath='{.data.token}' | base64 -d` kubectl config set-credentials safe-user --token=${TOKEN_SA} - kubectl config set-context safe-context --user=safe-user --cluster=chainsaw --namespace=check-sa-ns + kubectl config set-context safe-context --user=safe-user --cluster=kind-kind --namespace=check-sa-ns # Applying Manifests kubectl config use-context safe-context @@ -52,20 +44,25 @@ spec: if kubectl apply -f pod-bad.yaml; then exit 1; else echo "badpod01 failed to create"; fi kubectl apply -f podcontroller-good.yaml if kubectl apply -f podcontroller-bad.yaml; then exit 1; else echo "badpodcontrollers failed to create"; fi - finally: - - script: - content: | - set -e - kubectl delete -f pod-good.yaml --ignore-not-found - - script: - content: | - set -e - kubectl delete -f pod-bad.yaml --ignore-not-found - - script: - content: | - set -e - kubectl delete -f podcontroller-good.yaml --ignore-not-found - - script: - content: | - set -e - kubectl delete -f podcontroller-bad.yaml --ignore-not-found + + # Unset the context and user + kubectl config use-context kind-kind + kubectl config unset contexts.safe-context + kubectl config unset users.safe-user + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-sa + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - check-sa-ns + entrypoint: kubectl diff --git a/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml b/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml index 414ce2cc7..ee6965680 100644 --- a/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml +++ b/other/check-serviceaccount/.chainsaw-test/pod-bad.yaml @@ -6,7 +6,7 @@ metadata: spec: serviceAccountName: restricted containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox args: - sleep diff --git a/other/check-serviceaccount/.chainsaw-test/pod-good.yaml b/other/check-serviceaccount/.chainsaw-test/pod-good.yaml index dea1f3a34..84a2d8954 100644 --- a/other/check-serviceaccount/.chainsaw-test/pod-good.yaml +++ b/other/check-serviceaccount/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: spec: serviceAccountName: safe containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox args: - sleep diff --git a/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml b/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml index bfabbcfb9..e9873be81 100644 --- a/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml +++ b/other/check-serviceaccount/.chainsaw-test/podcontroller-bad.yaml @@ -18,7 +18,7 @@ spec: spec: serviceAccountName: restricted containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox args: - sleep @@ -37,7 +37,7 @@ spec: spec: serviceAccountName: restricted containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox args: - sleep diff --git a/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml b/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml index 109c8445b..85220548a 100644 --- a/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml +++ b/other/check-serviceaccount/.chainsaw-test/podcontroller-good.yaml @@ -18,7 +18,7 @@ spec: spec: serviceAccountName: safe containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox args: - sleep @@ -37,7 +37,7 @@ spec: spec: serviceAccountName: safe containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox args: - sleep diff --git a/other/check-serviceaccount/artifacthub-pkg.yml b/other/check-serviceaccount/artifacthub-pkg.yml index 8fa3fe2be..3a1eb30af 100644 --- a/other/check-serviceaccount/artifacthub-pkg.yml +++ b/other/check-serviceaccount/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.21" kyverno/subject: "Pod,ServiceAccount" -digest: bce4d3d38e46648c836c946b740b2317851e75af24799027cbe0ba3d29488c51 +digest: c01a1820fe70be2bec253ce6299f9af3dd82f3e1186e4d3f29894e538c47dc56 diff --git a/other/check-serviceaccount/check-serviceaccount.yaml b/other/check-serviceaccount/check-serviceaccount.yaml index 4fb9b86c4..414cda066 100644 --- a/other/check-serviceaccount/check-serviceaccount.yaml +++ b/other/check-serviceaccount/check-serviceaccount.yaml @@ -15,7 +15,7 @@ metadata: Pod, if created by a ServiceAccount, and ensures the `serviceAccountName` field matches the actual ServiceAccount. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-sa diff --git a/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 2d4e46eca..8531d7103 100755 --- a/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/check-subjectaccessreview/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: check-subjectaccessreview status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/check-subjectaccessreview/.chainsaw-test/chainsaw-test.yaml b/other/check-subjectaccessreview/.chainsaw-test/chainsaw-test.yaml index ab993be78..e58343c1d 100755 --- a/other/check-subjectaccessreview/.chainsaw-test/chainsaw-test.yaml +++ b/other/check-subjectaccessreview/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../check-subjectaccessreview.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-subjectaccessreview - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../check-subjectaccessreview.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -28,8 +20,6 @@ spec: content: | #!/bin/bash set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp export USERNAME=subreviewuser export BADUSERNAME=badsubreviewuser export CA=ca.crt @@ -84,6 +74,8 @@ spec: # Delete CSR kubectl delete csr $USERNAME kubectl delete csr $BADUSERNAME + - name: step-03 + try: - apply: file: chainsaw-step-03-apply-1.yaml - apply: @@ -94,30 +86,53 @@ spec: file: chainsaw-step-03-apply-4.yaml - apply: file: chainsaw-step-03-apply-5.yaml + - name: step-04 + try: + - command: + args: + - create + - --context=subreviewuser-context + - -f + - cm-one.yaml + entrypoint: kubectl - script: - content: | - set -eu - export KUBECONFIG=./temp - kubectl create --context=subreviewuser-context -f cm-one.yaml - - script: - content: | - set -eu - export KUBECONFIG=./temp - if kubectl create --context=badsubreviewuser-context -f cm-two.yaml; then exit 1; else exit 0; fi - finally: - - script: - content: | - set -e - kubectl delete cpol check-subjectaccessreview - - script: - content: | - set -e - kubectl delete -f cm-one.yaml --ignore-not-found - - script: - content: | - set -e - kubectl delete -f cm-two.yaml --ignore-not-found - - script: - content: | - set -e - rm ./temp + content: if kubectl create --context=badsubreviewuser-context -f cm-two.yaml; + then exit 1; else exit 0; fi + - name: step-05 + try: + - command: + args: + - config + - unset + - users.subreviewuser + entrypoint: kubectl + - command: + args: + - config + - unset + - users.badsubreviewuser + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.subreviewuser-context + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.badsubreviewuser-context + entrypoint: kubectl + - command: + args: + - delete + - cpol + - check-subjectaccessreview + entrypoint: kubectl + - command: + args: + - delete + - -f + - cm-one.yaml + entrypoint: kubectl diff --git a/other/check-vpa-configuration/.chainsaw-test/bad.yaml b/other/check-vpa-configuration/.chainsaw-test/bad.yaml deleted file mode 100644 index 16c652fbf..000000000 --- a/other/check-vpa-configuration/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: bad-busybox - name: bad-busybox -spec: - replicas: 1 - selector: - matchLabels: - app: bad-busybox - template: - metadata: - labels: - app: bad-busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: bad-busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: bad-ds-busybox -spec: - selector: - matchLabels: - name: bad-daemonset - template: - metadata: - labels: - name: bad-daemonset - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: bad-ss-busybox -spec: - selector: - matchLabels: - app: bad-busybox - serviceName: busyservice - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: bad-busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" \ No newline at end of file diff --git a/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100644 index 06acb8836..000000000 --- a/other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-vpa-configuration -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml b/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 4659846b5..000000000 --- a/other/check-vpa-configuration/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: check-vpa-configuration -spec: - steps: - - name: 01 - Create policy and Enforce - try: - - apply: - file: permissions.yaml - - apply: - file: ../check-vpa-configuration.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: check-vpa-configuration - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: 02 - Create VPAs - try: - - apply: - file: prereq.yaml - - name: 03 - Create bad Resources that do not have a matching VPA - try: - - apply: - file: bad.yaml - expect: - - check: - ($error != null): true - - name: 04 - Create good Resources that have a matching VPA - try: - - apply: - file: good.yaml \ No newline at end of file diff --git a/other/check-vpa-configuration/.chainsaw-test/good.yaml b/other/check-vpa-configuration/.chainsaw-test/good.yaml deleted file mode 100644 index 6d6e46c1d..000000000 --- a/other/check-vpa-configuration/.chainsaw-test/good.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: good-busybox - name: good-busybox -spec: - replicas: 1 - selector: - matchLabels: - app: good-busybox - template: - metadata: - labels: - app: good-busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: good-busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: good-ds-busybox -spec: - selector: - matchLabels: - name: daemonset - template: - metadata: - labels: - name: daemonset - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-ss-busybox -spec: - selector: - matchLabels: - app: busybox - serviceName: busyservice - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" \ No newline at end of file diff --git a/other/check-vpa-configuration/.chainsaw-test/permissions.yaml b/other/check-vpa-configuration/.chainsaw-test/permissions.yaml deleted file mode 100644 index 6b20b3c83..000000000 --- a/other/check-vpa-configuration/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:vpa - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" -rules: -- apiGroups: - - autoscaling.k8s.io - resources: - - verticalpodautoscalers - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/other/check-vpa-configuration/.chainsaw-test/prereq.yaml b/other/check-vpa-configuration/.chainsaw-test/prereq.yaml deleted file mode 100644 index 67bd548af..000000000 --- a/other/check-vpa-configuration/.chainsaw-test/prereq.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: autoscaler01 -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: good-busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: autoscaler02 -spec: - targetRef: - apiVersion: apps/v1 - kind: DaemonSet - name: good-ds-busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: autoscaler03 -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: good-ss-busybox - updatePolicy: - updateMode: Auto ---- \ No newline at end of file diff --git a/other/check-vpa-configuration/artifact-hub.yaml b/other/check-vpa-configuration/artifact-hub.yaml deleted file mode 100644 index 638a5e173..000000000 --- a/other/check-vpa-configuration/artifact-hub.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: check-vpa-configuration -version: 1.0.0 -displayName: Check VPA Configuration -createdAt: "2024-03-10T13:08:00.000Z" -description: >- - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to ensure that the target resource is associated with it. - This policy ensures that the matching kind has a matching VPA. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-vpa-configuration/check-vpa-configuration.yaml - ``` -keywords: - - kyverno - - other -readme: | - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to ensure that the target resource is associated with it. - This policy ensures that the matching kind has a matching VPA. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Deployment, StatefulSet, ReplicaSet, DaemonSet , VerticalPodAutoscaler" -digest: 105078846d596cd7f3ce01cfe1acf9a5da07bb51d38d153a5bcd7015e2960160 diff --git a/other/check-vpa-configuration/check-vpa-configuration.yaml b/other/check-vpa-configuration/check-vpa-configuration.yaml deleted file mode 100644 index dc5051bc5..000000000 --- a/other/check-vpa-configuration/check-vpa-configuration.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-vpa-configuration - annotations: - policies.kyverno.io/title: Check for matching VerticalPodAutoscaler (VPA) - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: Deployment, StatefulSet, ReplicaSet, DaemonSet, VerticalPodAutoscaler - policies.kyverno.io/description: >- - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to ensure that the target resource is associated with it. - This policy ensures that the matching kind has a matching VPA. -spec: - validationFailureAction: Audit - background: false - rules: - - name: check-vpa-configuration - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - - ReplicaSet - - DaemonSet - context: - - name: vpas - apiCall: - urlPath: "/apis/autoscaling.k8s.io/v1/namespaces/{{request.object.metadata.namespace}}/verticalpodautoscalers" - jmesPath: "items[?spec.targetRef.kind=='{{ request.object.kind }}'].spec.targetRef.name" - validate: - message: >- - Workload '{{request.object.kind}}/{{request.object.metadata.name}}' - requires a matching VerticalPodAutoscaler (VPA) in the - '{{request.object.metadata.namespace}}' namespace. - deny: - conditions: - all: - - key: "{{ request.object.metadata.name }}" - operator: NotIn - value: "{{ vpas }}" \ No newline at end of file diff --git a/other/concatenate-configmaps/.chainsaw-test/chainsaw-test.yaml b/other/concatenate-configmaps/.chainsaw-test/chainsaw-test.yaml index cec77814b..3db8e9f57 100755 --- a/other/concatenate-configmaps/.chainsaw-test/chainsaw-test.yaml +++ b/other/concatenate-configmaps/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml b/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml index 62f983ca9..b8ad10271 100644 --- a/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml +++ b/other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: concatenate-configmaps status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/copy-namespace-labels/.chainsaw-test/chainsaw-test.yaml b/other/copy-namespace-labels/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 125cccbe9..000000000 --- a/other/copy-namespace-labels/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: copy-namespace-labels -spec: - steps: - - name: step-01 - try: - - apply: - file: ns.yaml - - apply: - file: ../copy-namespace-labels.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: resource.yaml - - assert: - file: patchresource.yaml - - error: - resource: - apiVersion: apps/v1 - kind: Deployment - metadata: - namespace: within-ns - labels: - kubernetes.io/metadata.name: "within-ns" \ No newline at end of file diff --git a/other/copy-namespace-labels/.chainsaw-test/ns.yaml b/other/copy-namespace-labels/.chainsaw-test/ns.yaml deleted file mode 100644 index 5940d9141..000000000 --- a/other/copy-namespace-labels/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: within-ns - labels: - owner: "any-corp" - env: dev diff --git a/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml b/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml deleted file mode 100644 index 626d93810..000000000 --- a/other/copy-namespace-labels/.chainsaw-test/patchresource.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: my-deployment-1 - namespace: within-ns - labels: - app: good-app - owner: "any-corp" - env: dev -spec: - replicas: 1 - selector: - matchLabels: - app: good-app - template: - metadata: - labels: - app: good-app - spec: - containers: - - name: good-app-deploy - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: my-deployment-3 - namespace: within-ns - labels: - owner: "any-corp" - env: dev -spec: - replicas: 1 - selector: - matchLabels: - app: my-app03 - template: - metadata: - labels: - app: my-app03 - spec: - containers: - - name: my-app03-deploy - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: my-deployment-4 - namespace: within-ns - labels: - owner: "any-corp" - env: dev -spec: - replicas: 1 - selector: - matchLabels: - app: my-app04 - template: - metadata: - labels: - app: my-app04 - spec: - containers: - - name: my-app04-deploy - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml b/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index f66a1375d..000000000 --- a/other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: copy-namespace-labels -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/copy-namespace-labels/.chainsaw-test/resource.yaml b/other/copy-namespace-labels/.chainsaw-test/resource.yaml deleted file mode 100644 index 5fa6fe3a2..000000000 --- a/other/copy-namespace-labels/.chainsaw-test/resource.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: my-deployment-1 - namespace: within-ns - labels: - app: good-app -spec: - replicas: 1 - selector: - matchLabels: - app: good-app - template: - metadata: - labels: - app: good-app - spec: - containers: - - name: good-app-deploy - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: my-deployment-3 - namespace: within-ns - labels: - owner: "dev-team" -spec: - replicas: 1 - selector: - matchLabels: - app: my-app03 - template: - metadata: - labels: - app: my-app03 - spec: - containers: - - name: my-app03-deploy - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: my-deployment-4 - namespace: within-ns -spec: - replicas: 1 - selector: - matchLabels: - app: my-app04 - template: - metadata: - labels: - app: my-app04 - spec: - containers: - - name: my-app04-deploy - image: ghcr.io/kyverno/test-busybox:1.35 diff --git a/other/create-default-pdb/.chainsaw-test/chainsaw-test.yaml b/other/create-default-pdb/.chainsaw-test/chainsaw-test.yaml index 87b9f99dd..e6f884cad 100755 --- a/other/create-default-pdb/.chainsaw-test/chainsaw-test.yaml +++ b/other/create-default-pdb/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/create-default-pdb/.chainsaw-test/deployment.yaml b/other/create-default-pdb/.chainsaw-test/deployment.yaml index d6872046d..2f3b38cca 100644 --- a/other/create-default-pdb/.chainsaw-test/deployment.yaml +++ b/other/create-default-pdb/.chainsaw-test/deployment.yaml @@ -17,6 +17,6 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/other/create-default-pdb/.chainsaw-test/policy-ready.yaml b/other/create-default-pdb/.chainsaw-test/policy-ready.yaml index 0a9d8507c..55434454f 100644 --- a/other/create-default-pdb/.chainsaw-test/policy-ready.yaml +++ b/other/create-default-pdb/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: create-default-pdb status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/create-pod-antiaffinity/.chainsaw-test/chainsaw-test.yaml b/other/create-pod-antiaffinity/.chainsaw-test/chainsaw-test.yaml index 9274244b3..14b048bca 100755 --- a/other/create-pod-antiaffinity/.chainsaw-test/chainsaw-test.yaml +++ b/other/create-pod-antiaffinity/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml b/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml index f593e7326..dd9607645 100644 --- a/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml +++ b/other/create-pod-antiaffinity/.chainsaw-test/deployments.yaml @@ -15,7 +15,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} --- @@ -36,7 +36,7 @@ spec: foo: bar spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} --- @@ -63,6 +63,6 @@ spec: podAffinityTerm: topologyKey: "kubernetes.io/something" containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml index a2adcfe73..035e63caf 100644 --- a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml +++ b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy02.yaml @@ -27,6 +27,6 @@ spec: values: - busybox containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml index 25bcea0ad..7081b4478 100644 --- a/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml +++ b/other/create-pod-antiaffinity/.chainsaw-test/not-patched-deploy03.yaml @@ -27,6 +27,6 @@ spec: values: - busybox containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml b/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml index 53ea39d66..e058d5ea5 100644 --- a/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml +++ b/other/create-pod-antiaffinity/.chainsaw-test/patched-deploy01.yaml @@ -27,6 +27,6 @@ spec: values: - busybox containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: {} \ No newline at end of file diff --git a/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml b/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml index 68c82d8fe..0d09b5584 100644 --- a/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml +++ b/other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: insert-pod-antiaffinity status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml index d6eca0d4d..a95d54494 100755 --- a/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: deny-commands-in-exec-probe status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml index 28a952dab..ebc184fb4 100755 --- a/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml +++ b/other/deny-commands-in-exec-probe/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../deny-commands-in-exec-probe.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deny-commands-in-exec-probe - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../deny-commands-in-exec-probe.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: deny-commands-in-exec-probe diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml index da23da6e9..1526c45a0 100644 --- a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-bad.yaml @@ -16,14 +16,14 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: command: - ls periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -42,7 +42,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -50,7 +50,7 @@ spec: - echo - foo periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml index ef63becbe..e6ee813e1 100644 --- a/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml +++ b/other/deny-commands-in-exec-probe/.chainsaw-test/podcontrollers-good.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -24,7 +24,7 @@ spec: - echo - meow periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -43,7 +43,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -51,7 +51,7 @@ spec: - echo - meow periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml index 7e212b343..1b58ef909 100644 --- a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml +++ b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-bad.yaml @@ -4,14 +4,14 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: command: - ls periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -25,7 +25,7 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -40,9 +40,9 @@ metadata: name: badpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -56,9 +56,9 @@ metadata: name: badpod04 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -75,9 +75,9 @@ metadata: name: badpod05 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -93,9 +93,9 @@ metadata: name: badpod06 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: diff --git a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml index 73e835829..dc0c71226 100644 --- a/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml +++ b/other/deny-commands-in-exec-probe/.chainsaw-test/pods-good.yaml @@ -4,7 +4,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -12,7 +12,7 @@ spec: - echo - meow periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -26,7 +26,7 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -40,9 +40,9 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -51,7 +51,7 @@ metadata: name: goodpod04 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: grpc: diff --git a/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml index b1d0e5bda..20cbb81b1 100644 --- a/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: deny-secret-service-account-token-type status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml b/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml index 02a52cde3..bd34907a3 100644 --- a/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml +++ b/other/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../deny-secret-service-account-token-type.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deny-secret-service-account-token-type - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../deny-secret-service-account-token-type.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: bad-secret.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: deny-secret-service-account-token-type \ No newline at end of file diff --git a/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml b/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml index ef11879ba..1cbd5e87b 100644 --- a/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml +++ b/other/deny-secret-service-account-token-type/artifacthub-pkg.yaml @@ -26,5 +26,5 @@ readme: | annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Secret, ServiceAccount" -digest: 19a0b22cb870d6055ff3cd3e48a987ac1ef6f68ca773d840f4f7f606005859d9 + kyverno/subject: "Secret,ServiceAccount" +digest: 106c14ef2f33f3426e8bceaa47f696c7a9a10262955862f680497f3daa34c545 diff --git a/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml index 899f0aef0..69059b7be 100644 --- a/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ b/other/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -8,7 +8,7 @@ metadata: kyverno.io/kubernetes-version: "1.27" kyverno.io/kyverno-version: 1.11.1 policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Secret, ServiceAccount + policies.kyverno.io/subject: Secret policies.kyverno.io/description: >- Before version 1.24, Kubernetes automatically generated Secret-based tokens for ServiceAccounts. When creating a Secret, you can specify its type using the diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/bad-pdb.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/bad-pdb.yaml deleted file mode 100644 index b938459dd..000000000 --- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/bad-pdb.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb01 -spec: - minAvailable: 3 - selector: - matchLabels: - app: busybox ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb02 -spec: - minAvailable: 4 - selector: - matchLabels: - app: busybox ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-pdb03 -spec: - minAvailable: 5 - selector: - matchLabels: - app: busybox ---- diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/chainsaw-test.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 4a0d8476d..000000000 --- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: deployment-replicas-higher-than-pdb -spec: - steps: - - name: 01 - Create policy and set to Enforce - try: - - apply: - file: ../deployment-replicas-higher-than-pdb.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deployment-replicas-higher-than-pdb - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create existing Deployments in cluster - try: - - apply: - file: existing-deployments.yaml - - name: 03 - Create good PDBs - try: - - apply: - file: good-pdb.yaml - - name: 04 - Create bad PDBs - try: - - apply: - file: bad-pdb.yaml - expect: - - check: - ($error != null): true diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml deleted file mode 100644 index ffde14cf0..000000000 --- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/existing-deployments.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: alpha-busybox - labels: - app: busybox -spec: - replicas: 3 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.36 - name: busybox - command: ["sleep", "infinity"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bravo-busybox - labels: - app: busybox -spec: - replicas: 5 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.36 - name: busybox - command: ["sleep", "infinity"] diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml deleted file mode 100644 index 2f7825777..000000000 --- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/good-pdb.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb01 -spec: - minAvailable: 2 - selector: - matchLabels: - app: busybox ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb02 -spec: - minAvailable: 1 - selector: - matchLabels: - app: busybox ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb03 -spec: - minAvailable: 3 - selector: - matchLabels: - app: nginx ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-pdb04 -spec: - maxUnavailable: 3 - selector: - matchLabels: - app: busybox ---- diff --git a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml b/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index a0ebe4fa9..000000000 --- a/other/deployment-replicas-higher-than-pdb/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deployment-replicas-higher-than-pdb -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/deployment-replicas-higher-than-pdb/artifact-hub.yml b/other/deployment-replicas-higher-than-pdb/artifact-hub.yml deleted file mode 100644 index 37b6d061d..000000000 --- a/other/deployment-replicas-higher-than-pdb/artifact-hub.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: deployment-replicas-higher-than-pdb -version: 1.0.0 -displayName: Ensure Deployment Replicas Higher Than PodDisruptionBudget -createdAt: "2024-03-03T15:03:00.000Z" -description: >- - PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. - Introducing a PDB where there are already matching Pod controllers may pose a problem if the author - is unaware of the existing replica count. This policy ensures that the minAvailable value is not - greater not equal to the replica count of any matching existing Deployment. If other Pod controllers - should also be included in this check, additional rules may be added to the policy which match those - controllers. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml - ``` -keywords: - - kyverno - - Sample -readme: | - PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. - Introducing a PDB where there are already matching Pod controllers may pose a problem if the author - is unaware of the existing replica count. This policy ensures that the minAvailable value is not - greater not equal to the replica count of any matching existing Deployment. If other Pod controllers - should also be included in this check, additional rules may be added to the policy which match those - controllers. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "PodDisruptionBudget,Deployment" -digest: 7fd811298bcc37ca59a4e8e677c69fb4d91b52e68d99aa7cf5958ea82adeb698 diff --git a/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml b/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml deleted file mode 100644 index 6e851b658..000000000 --- a/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deployment-replicas-higher-than-pdb - annotations: - policies.kyverno.io/title: Ensure Deployment Replicas Higher Than PodDisruptionBudget - policies.kyverno.io/category: Other - policies.kyverno.io/subject: PodDisruptionBudget, Deployment - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/description: >- - PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. - Introducing a PDB where there are already matching Pod controllers may pose a problem if the author - is unaware of the existing replica count. This policy ensures that the minAvailable value is not - greater not equal to the replica count of any matching existing Deployment. If other Pod controllers - should also be included in this check, additional rules may be added to the policy which match those - controllers. -spec: - validationFailureAction: Audit - background: true - rules: - - name: deployment-replicas-greater-minAvailable - match: - any: - - resources: - kinds: - - PodDisruptionBudget - operations: - - CREATE - - UPDATE - context: - - name: deploymentreplicas - apiCall: - jmesPath: items[?label_match(`{{ request.object.spec.selector.matchLabels }}`, spec.template.metadata.labels)] || `[]` - urlPath: /apis/apps/v1/namespaces/{{request.namespace}}/deployments - preconditions: - all: - - key: '{{ regex_match(''^[0-9]+$'', ''{{ request.object.spec.minAvailable || ''''}}'') }}' - operator: Equals - value: true - - key: '{{ length(deploymentreplicas) }}' - operator: GreaterThan - value: 0 - validate: - message: >- - PodDisruption budget minAvailable ({{ request.object.spec.minAvailable }}) cannot be - greater than or equal to the replica count of any matching existing Deployment. - There are {{ length(deploymentreplicas) }} Deployments which match this labelSelector - having {{ deploymentreplicas[*].spec.replicas }} replicas. - foreach: - - list: deploymentreplicas - deny: - conditions: - all: - - key: "{{ request.object.spec.minAvailable }}" - operator: GreaterThanOrEquals - value: "{{ element.spec.replicas }}" diff --git a/other/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml b/other/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml index 60c5ffcf3..112b6d37d 100755 --- a/other/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml +++ b/other/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml b/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml index 4c6a057ee..0363819a2 100644 --- a/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml +++ b/other/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: disable-automountserviceaccounttoken status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/disable-service-discovery/.chainsaw-test/chainsaw-test.yaml b/other/disable-service-discovery/.chainsaw-test/chainsaw-test.yaml index a2aff14b9..bfbdfaf54 100755 --- a/other/disable-service-discovery/.chainsaw-test/chainsaw-test.yaml +++ b/other/disable-service-discovery/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml b/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml index ce9332411..a92ae1287 100644 --- a/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml +++ b/other/disable-service-discovery/.chainsaw-test/podcontrollers-patched.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: Default enableServiceLinks: false containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: batch/v1 @@ -34,6 +34,6 @@ spec: dnsPolicy: Default enableServiceLinks: false containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml b/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml index ff5a77142..9878c3076 100644 --- a/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml +++ b/other/disable-service-discovery/.chainsaw-test/podcontrollers.yaml @@ -18,7 +18,7 @@ spec: dnsPolicy: None enableServiceLinks: true containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: batch/v1 @@ -32,6 +32,6 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml b/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml index cb71fcb4a..ffe23041f 100644 --- a/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml +++ b/other/disable-service-discovery/.chainsaw-test/pods-patched.yaml @@ -6,7 +6,7 @@ spec: dnsPolicy: Default enableServiceLinks: false containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -17,5 +17,5 @@ spec: dnsPolicy: Default enableServiceLinks: false containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/disable-service-discovery/.chainsaw-test/pods.yaml b/other/disable-service-discovery/.chainsaw-test/pods.yaml index 3115caa25..084cb1eff 100644 --- a/other/disable-service-discovery/.chainsaw-test/pods.yaml +++ b/other/disable-service-discovery/.chainsaw-test/pods.yaml @@ -4,7 +4,7 @@ metadata: name: pod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -15,5 +15,5 @@ spec: dnsPolicy: None enableServiceLinks: true containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml b/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml index 7638bb1cd..33cc29f72 100644 --- a/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml +++ b/other/disable-service-discovery/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: disable-service-discovery status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 9806aed9b..1f88265d6 100755 --- a/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: no-secrets status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml b/other/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml index 5c33a2547..242c3357e 100755 --- a/other/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-all-secrets.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: no-secrets - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-all-secrets.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: no-secrets diff --git a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml index c882c0d28..eacd6b86e 100644 --- a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-bad.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init env: - name: SECRET_BAD @@ -24,13 +24,13 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: foo value: bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: SECRET_BAD @@ -38,7 +38,7 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: apps/v1 @@ -59,20 +59,20 @@ spec: app: busybox spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init envFrom: - secretRef: name: foo containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: apps/v1 @@ -93,9 +93,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol @@ -113,7 +113,7 @@ spec: template: spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init env: - name: SECRET_BAD @@ -121,13 +121,13 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: foo value: bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: SECRET_BAD @@ -135,7 +135,7 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure --- @@ -150,20 +150,20 @@ spec: template: spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init envFrom: - secretRef: name: foo containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure --- @@ -178,9 +178,9 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol diff --git a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml index 47e2b1c11..093487967 100644 --- a/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml +++ b/other/disallow-all-secrets/.chainsaw-test/podcontrollers-good.yaml @@ -16,22 +16,22 @@ spec: app: busybox spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: foo value: bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: apps/v1 @@ -52,20 +52,20 @@ spec: app: busybox spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init envFrom: - configMapRef: name: foo-bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - configMapRef: name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: apps/v1 @@ -86,9 +86,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol @@ -106,22 +106,22 @@ spec: template: spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: foo value: bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure --- @@ -136,20 +136,20 @@ spec: template: spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init envFrom: - configMapRef: name: foo-bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - configMapRef: name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure --- @@ -164,9 +164,9 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol diff --git a/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml b/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml index b87746e69..a82e4e342 100644 --- a/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml +++ b/other/disallow-all-secrets/.chainsaw-test/pods-bad.yaml @@ -4,7 +4,7 @@ metadata: name: badpod01 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init env: - name: SECRET_BAD @@ -12,13 +12,13 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: foo value: bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: SECRET_BAD @@ -26,7 +26,7 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -35,20 +35,20 @@ metadata: name: badpod02 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init envFrom: - secretRef: name: foo containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -57,9 +57,9 @@ metadata: name: badpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol @@ -72,9 +72,9 @@ metadata: name: badpod04 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: SECRET_BAD @@ -83,12 +83,12 @@ spec: name: foo key: pass containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol diff --git a/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml b/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml index 2209cb7ef..cb3bb22ee 100644 --- a/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml +++ b/other/disallow-all-secrets/.chainsaw-test/pods-good.yaml @@ -4,22 +4,22 @@ metadata: name: goodpod01 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init env: - name: foo value: bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -28,9 +28,9 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init --- apiVersion: v1 @@ -39,20 +39,20 @@ metadata: name: goodpod03 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init envFrom: - configMapRef: name: foo-bar containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - configMapRef: name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -61,9 +61,9 @@ metadata: name: goodpod04 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo-vol diff --git a/other/disallow-all-secrets/artifacthub-pkg.yml b/other/disallow-all-secrets/artifacthub-pkg.yml index 9b1d73952..92ff32dd3 100644 --- a/other/disallow-all-secrets/artifacthub-pkg.yml +++ b/other/disallow-all-secrets/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.21" kyverno/subject: "Pod, Secret" -digest: 35c5d565e47b3d1b10670b2fea89b7918918317f63e83e8cff8abf4b500631ea +digest: db6b8711b4b551144ef86db8345468058c21b7355f3acd3116981a87a1d8827b diff --git a/other/disallow-all-secrets/disallow-all-secrets.yaml b/other/disallow-all-secrets/disallow-all-secrets.yaml index b97719384..a7a7bfd43 100644 --- a/other/disallow-all-secrets/disallow-all-secrets.yaml +++ b/other/disallow-all-secrets/disallow-all-secrets.yaml @@ -16,7 +16,7 @@ metadata: this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: secrets-not-from-env match: diff --git a/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 675fb79d1..730a95d13 100755 --- a/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/disallow-localhost-services/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: no-localhost-service status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml b/other/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml index 75151179b..9cf7d3b01 100755 --- a/other/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml +++ b/other/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-localhost-services.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: no-localhost-service - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-localhost-services.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: svc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: no-localhost-service diff --git a/other/disallow-localhost-services/artifacthub-pkg.yml b/other/disallow-localhost-services/artifacthub-pkg.yml index 84223473d..8ea37925d 100644 --- a/other/disallow-localhost-services/artifacthub-pkg.yml +++ b/other/disallow-localhost-services/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Service" -digest: 73309c6f3693203f750b1404b69c7961304108ca7897c5ffacd1b38fb5229a78 +digest: f1cec7ef44c6b12a7cac8c077c2ddcbc4ef6bb2dd0945444de21052e00521d59 diff --git a/other/disallow-localhost-services/disallow-localhost-services.yaml b/other/disallow-localhost-services/disallow-localhost-services.yaml index 6fb9d84ca..0c5123980 100644 --- a/other/disallow-localhost-services/disallow-localhost-services.yaml +++ b/other/disallow-localhost-services/disallow-localhost-services.yaml @@ -13,7 +13,7 @@ metadata: vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: no-localhost-service diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 899cbe9e3..f8d45db5d 100755 --- a/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: secrets-not-from-env-vars status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml index 500d54752..60540e2c9 100755 --- a/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml +++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-secrets-from-env-vars.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: secrets-not-from-env-vars - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-secrets-from-env-vars.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: secrets-not-from-env-vars diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml index 2cd73ad4d..b624674c3 100644 --- a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-bad.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: SECRET_BAD @@ -24,7 +24,7 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: foo @@ -48,12 +48,12 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: batch/v1 @@ -67,7 +67,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: SECRET_BAD @@ -75,7 +75,7 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: foo @@ -93,11 +93,11 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailures \ No newline at end of file diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml index 193b1cc61..4c20ae23e 100644 --- a/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml +++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/podcontrollers-good.yaml @@ -16,14 +16,14 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: apps/v1 @@ -44,12 +44,12 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - configMapRef: name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: batch/v1 @@ -63,14 +63,14 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure --- @@ -85,11 +85,11 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - configMapRef: name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml index 88c89d23f..f4c4db620 100644 --- a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml +++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-bad.yaml @@ -4,7 +4,7 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: SECRET_BAD @@ -12,7 +12,7 @@ spec: secretKeyRef: name: foo key: pass - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -21,9 +21,9 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 envFrom: - secretRef: @@ -35,12 +35,12 @@ metadata: name: badpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - secretRef: name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 env: - name: SECRET_BAD diff --git a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml index 699fe1113..c6573bf3f 100644 --- a/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml +++ b/other/disallow-secrets-from-env-vars/.chainsaw-test/pods-good.yaml @@ -4,14 +4,14 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -20,9 +20,9 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init --- apiVersion: v1 @@ -31,10 +31,10 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox envFrom: - configMapRef: name: foo-bar - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 \ No newline at end of file diff --git a/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml index 0c45e0efb..2e3ea7a57 100644 --- a/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml +++ b/other/disallow-secrets-from-env-vars/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Sample, EKS Best Practices" kyverno/kubernetesVersion: "null" kyverno/subject: "Pod, Secret" -digest: c8f741860d0bd62d7cccd5dd02d176dfaa40a82105b73bf4c6e5cf453de7cc2a +digest: 79f059e745a1bd214bb91455e985bbb474f4b40590e871b6babaf60a9672b3c9 diff --git a/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml index 305ae54eb..afc2c6b95 100644 --- a/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml +++ b/other/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml @@ -13,7 +13,7 @@ metadata: be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: secrets-not-from-env-vars diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/chainsaw-test.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/chainsaw-test.yaml index bae28440b..bbf6901b1 100755 --- a/other/dns-policy-and-dns-config/.chainsaw-test/chainsaw-test.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml index ef754c6e0..2b0a5cddd 100644 --- a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers-patched.yaml @@ -31,7 +31,7 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: batch/v1 @@ -60,6 +60,6 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml index 61f804130..ce683c4be 100644 --- a/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/podcontrollers.yaml @@ -18,7 +18,7 @@ spec: spec: dnsPolicy: ClusterFirstWithHostNet containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: batch/v1 @@ -34,6 +34,6 @@ spec: spec: dnsPolicy: ClusterFirst containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml index 269408283..ce9eb01e9 100644 --- a/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/pods-not-patched.yaml @@ -19,5 +19,5 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml index 889a6e02c..da21e2839 100644 --- a/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/pods-patched.yaml @@ -19,7 +19,7 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -43,7 +43,7 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -67,7 +67,7 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -91,5 +91,5 @@ spec: - svc.kind - dns-polconfig-ns.svc.kind containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml index ea18c5bc9..bb83def9a 100644 --- a/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/pods.yaml @@ -5,7 +5,7 @@ metadata: namespace: dns-polconfig-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -15,7 +15,7 @@ metadata: namespace: dns-polconfig-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox dnsPolicy: None dnsConfig: @@ -29,7 +29,7 @@ metadata: namespace: dns-polconfig-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox dnsPolicy: ClusterFirst --- @@ -40,7 +40,7 @@ metadata: namespace: dns-polconfig-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox dnsPolicy: ClusterFirstWithHostNet --- @@ -51,6 +51,6 @@ metadata: namespace: dns-polconfig-ns spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox dnsPolicy: Default \ No newline at end of file diff --git a/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml b/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml index 1e00f064d..8f8760ec9 100644 --- a/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml +++ b/other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: change-dns-config-policy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 0fcc00e65..e73d54241 100755 --- a/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/docker-socket-requires-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: docker-socket-check status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml b/other/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml index 583b43711..9ddeeacd7 100755 --- a/other/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml +++ b/other/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../docker-socket-requires-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: docker-socket-check - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../docker-socket-requires-label.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: docker-socket-check diff --git a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml index f0033745a..43d50e08b 100644 --- a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-bad.yaml @@ -17,7 +17,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol @@ -42,7 +42,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol @@ -64,7 +64,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol @@ -86,7 +86,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol diff --git a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml index 359d9528d..a0275658f 100644 --- a/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml +++ b/other/docker-socket-requires-label/.chainsaw-test/podcontrollers-good.yaml @@ -17,7 +17,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol @@ -43,7 +43,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: foo-vol @@ -65,7 +65,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol @@ -88,7 +88,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: foo-vol diff --git a/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml b/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml index 1d78f08b6..c44eeaa2a 100644 --- a/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml +++ b/other/docker-socket-requires-label/.chainsaw-test/pods-bad.yaml @@ -4,7 +4,7 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: docker-vol @@ -20,7 +20,7 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: foo-vol diff --git a/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml b/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml index 2f095abe4..1860c831f 100644 --- a/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml +++ b/other/docker-socket-requires-label/.chainsaw-test/pods-good.yaml @@ -4,7 +4,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -16,7 +16,7 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -28,7 +28,7 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: foo-vol @@ -44,7 +44,7 @@ metadata: name: goodpod04 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumes: - name: foo-vol diff --git a/other/docker-socket-requires-label/artifacthub-pkg.yml b/other/docker-socket-requires-label/artifacthub-pkg.yml index aaf075e44..d31b5d4c3 100644 --- a/other/docker-socket-requires-label/artifacthub-pkg.yml +++ b/other/docker-socket-requires-label/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: e40e1d10d01009280c7fd2d9aa5164470b57f9513ae3fe33d56d0d814dc8e35b +digest: 58e37e4980fab8a47f937fffe55803136c1c5f8083ea33dd4915a6fc4c1d69de diff --git a/other/docker-socket-requires-label/docker-socket-requires-label.yaml b/other/docker-socket-requires-label/docker-socket-requires-label.yaml index 70396b5ee..8760b1138 100644 --- a/other/docker-socket-requires-label/docker-socket-requires-label.yaml +++ b/other/docker-socket-requires-label/docker-socket-requires-label.yaml @@ -15,7 +15,7 @@ metadata: requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: conditional-anchor-dockersock diff --git a/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 6ec2cfb1f..b53713baf 100755 --- a/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: pod-lifetime status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml index 76632597a..6e299c914 100755 --- a/other/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml +++ b/other/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../enforce-pod-duration.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: pod-lifetime - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../enforce-pod-duration.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: pod-lifetime diff --git a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml index e0cd0b51d..2456f925f 100644 --- a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-bad.yaml @@ -18,7 +18,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: batch/v1 @@ -37,6 +37,6 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml index b21d3b1c7..49f7d105c 100644 --- a/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml +++ b/other/enforce-pod-duration/.chainsaw-test/podcontrollers-good.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -39,7 +39,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: batch/v1 @@ -56,7 +56,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure --- @@ -76,6 +76,6 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml b/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml index 74dfc404a..e12fe5b2f 100644 --- a/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml +++ b/other/enforce-pod-duration/.chainsaw-test/pods-bad.yaml @@ -7,7 +7,7 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -19,5 +19,5 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml b/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml index add0bfc94..72af42c34 100644 --- a/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml +++ b/other/enforce-pod-duration/.chainsaw-test/pods-good.yaml @@ -4,7 +4,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -15,7 +15,7 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -27,7 +27,7 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -39,5 +39,5 @@ metadata: name: goodpod04 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/enforce-pod-duration/artifacthub-pkg.yml b/other/enforce-pod-duration/artifacthub-pkg.yml index 52811d040..38454c1d0 100644 --- a/other/enforce-pod-duration/artifacthub-pkg.yml +++ b/other/enforce-pod-duration/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 4e35f745fe654bc488191a537f1c15a226b3cc940baf8b2e29b925d70e4a1bea +digest: 3ded11cc52869141f7db7d402e6ead5965aa36fb1a16aedb0f71e4b7204adb72 diff --git a/other/enforce-pod-duration/enforce-pod-duration.yaml b/other/enforce-pod-duration/enforce-pod-duration.yaml index b417a57d5..4ebb7e859 100644 --- a/other/enforce-pod-duration/enforce-pod-duration.yaml +++ b/other/enforce-pod-duration/enforce-pod-duration.yaml @@ -12,7 +12,7 @@ metadata: such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold. Pod lifetime annotation can be no greater than 8 hours. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: pods-lifetime diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml index dab21a517..47804a262 100755 --- a/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: enforce-resources-as-ratio status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-test.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-test.yaml index 809df318e..1f9fd92c6 100755 --- a/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-test.yaml +++ b/other/enforce-resources-as-ratio/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../enforce-resources-as-ratio.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: enforce-resources-as-ratio - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../enforce-resources-as-ratio.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: enforce-resources-as-ratio diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml index e2f36d145..fa4a20153 100644 --- a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-bad.yaml @@ -16,9 +16,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -40,9 +40,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml index 0ed516b55..4193f1be2 100644 --- a/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml +++ b/other/enforce-resources-as-ratio/.chainsaw-test/podcontrollers-good.yaml @@ -16,9 +16,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -44,14 +44,14 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: memory: "100Mi" limits: memory: "250Mi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: batch/v1 @@ -68,9 +68,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -93,13 +93,13 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: memory: "100Mi" limits: memory: "250Mi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml index 447f3e0c7..0ca256fe3 100644 --- a/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml +++ b/other/enforce-resources-as-ratio/.chainsaw-test/pods-bad.yaml @@ -4,9 +4,9 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -20,12 +20,12 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: memory: "100Mi" limits: memory: "300Mi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 \ No newline at end of file diff --git a/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml b/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml index c3c675aa1..f5b190b7e 100644 --- a/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml +++ b/other/enforce-resources-as-ratio/.chainsaw-test/pods-good.yaml @@ -4,9 +4,9 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -20,14 +20,14 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: memory: "100Mi" limits: memory: "250Mi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 --- apiVersion: v1 @@ -36,7 +36,7 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 \ No newline at end of file diff --git a/other/enforce-resources-as-ratio/artifacthub-pkg.yml b/other/enforce-resources-as-ratio/artifacthub-pkg.yml index 1c7b334ed..d39c3251f 100644 --- a/other/enforce-resources-as-ratio/artifacthub-pkg.yml +++ b/other/enforce-resources-as-ratio/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: ef6e514b17ab853cb0d2b135aad3cef1619abd08d5bd52def17fa55252e3d91e +digest: cf12c44542d243f69c182ef98ea13d14cf1761268193410cfbac79408c3c060e diff --git a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml index 2ff7f4b33..5acc54620 100644 --- a/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml +++ b/other/enforce-resources-as-ratio/enforce-resources-as-ratio.yaml @@ -16,7 +16,7 @@ metadata: or limits may not work and a ratio may be better suited instead. This policy checks every container in a Pod and ensures that memory limits are no more than 2.5x its requests. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-memory-requests-limits match: diff --git a/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 9013e5de2..1f660a84a 100755 --- a/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: validate-probes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml index f40140320..f5a245ca2 100755 --- a/other/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml +++ b/other/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../ensure-probes-different.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: validate-probes - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../ensure-probes-different.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -33,5 +25,18 @@ spec: file: podcontrollers-bad.yaml - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n ensure-probes-different-ns + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: validate-probes + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - ensure-probes-different-ns + entrypoint: kubectl diff --git a/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml b/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml index b6b6e6d0d..b050a0094 100644 --- a/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/ensure-probes-different/.chainsaw-test/podcontrollers-bad.yaml @@ -17,7 +17,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: exec: @@ -28,7 +28,7 @@ spec: readinessProbe: tcpSocket: port: 8080 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 command: ["sleep","300"] livenessProbe: @@ -59,7 +59,7 @@ spec: name: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox command: ["sleep","300"] livenessProbe: @@ -70,7 +70,7 @@ spec: tcpSocket: port: 8080 periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 livenessProbe: exec: @@ -100,7 +100,7 @@ spec: spec: terminationGracePeriodSeconds: 5 containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 command: ["sleep","300"] livenessProbe: diff --git a/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml b/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml index 0479b2c10..c3f04c511 100644 --- a/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml +++ b/other/ensure-probes-different/.chainsaw-test/podcontrollers-good.yaml @@ -17,7 +17,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox command: ["sleep","300"] readinessProbe: @@ -26,7 +26,7 @@ spec: - cat - /tmp/healthy periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 command: ["sleep","300"] livenessProbe: @@ -55,7 +55,7 @@ spec: name: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox command: ["sleep","300"] readinessProbe: @@ -64,7 +64,7 @@ spec: - cat - /tmp/healthy periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 command: ["sleep","300"] livenessProbe: @@ -92,13 +92,13 @@ spec: spec: terminationGracePeriodSeconds: 5 containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox livenessProbe: tcpSocket: port: 8080 periodSeconds: 10 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 command: ["sleep","300"] livenessProbe: diff --git a/other/ensure-probes-different/artifacthub-pkg.yml b/other/ensure-probes-different/artifacthub-pkg.yml index 669661d7a..933c9aafb 100644 --- a/other/ensure-probes-different/artifacthub-pkg.yml +++ b/other/ensure-probes-different/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: bc56d80f1a162d2f11decd05fa8dd1d1ef5f2b3b353b7673ea58d59ef46d95ab +digest: 66d9c3579b90c7f462e4f87f848527f3b2860c29b4572aa81dffaa01817814aa diff --git a/other/ensure-probes-different/ensure-probes-different.yaml b/other/ensure-probes-different/ensure-probes-different.yaml index 920106c43..a1e31fce8 100644 --- a/other/ensure-probes-different/ensure-probes-different.yaml +++ b/other/ensure-probes-different/ensure-probes-different.yaml @@ -15,7 +15,7 @@ metadata: checks that liveness and readiness probes are not equal. Keep in mind that if both the probes are not set, they are considered to be equal and hence fails the check. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: validate-probes diff --git a/other/ensure-production-matches-staging/.chainsaw-test/chainsaw-test.yaml b/other/ensure-production-matches-staging/.chainsaw-test/chainsaw-test.yaml index 1da9b2478..36a7e7bd1 100755 --- a/other/ensure-production-matches-staging/.chainsaw-test/chainsaw-test.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml index b5448a7f8..d034c7356 100644 --- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-image.yaml @@ -17,9 +17,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox command: ["sleep","3600"] - - image: ghcr.io/kyverno/test-nginx:1.28 + - image: nginx:1.28 name: busybox02 command: ["sleep","3600"] \ No newline at end of file diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml index 726e4beff..03404b435 100644 --- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-imversion.yaml @@ -17,9 +17,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox command: ["sleep","3600"] - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 command: ["sleep","3600"] \ No newline at end of file diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml index 090cdb2dd..8c34d76eb 100644 --- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-bad-name.yaml @@ -17,9 +17,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox command: ["sleep","3600"] - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox02 command: ["sleep","3600"] \ No newline at end of file diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml index c0fd922f2..1b302fa25 100644 --- a/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/deploy-good.yaml @@ -17,10 +17,10 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox command: ["sleep","3600"] - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox02 command: ["sleep","3600"] --- @@ -42,9 +42,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox command: ["sleep","3600"] - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox02 command: ["sleep","3600"] \ No newline at end of file diff --git a/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml b/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml index 750c57d1f..72df29d52 100644 --- a/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/deployments.yaml @@ -17,9 +17,9 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox command: ["sleep","3600"] - - image: ghcr.io/kyverno/test-busybox:1.28 + - image: busybox:1.28 name: busybox02 command: ["sleep","3600"] \ No newline at end of file diff --git a/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml b/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml index 5f960e0dd..8a8fceb5d 100644 --- a/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml +++ b/other/ensure-production-matches-staging/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: ensure-production-matches-staging status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/ensure-production-matches-staging/artifacthub-pkg.yml b/other/ensure-production-matches-staging/artifacthub-pkg.yml index a48970acf..80669b81d 100644 --- a/other/ensure-production-matches-staging/artifacthub-pkg.yml +++ b/other/ensure-production-matches-staging/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Deployment" -digest: c1423e28522dc4bc67269ed0021a6012066e66c779fd6ec850663edc06175106 +digest: 4cb78d7f4e637e0222481cf1cfe6f0d165bf2ed836f30dd778400716953332e0 diff --git a/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml b/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml index 57b4549a7..af70ce4da 100644 --- a/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml +++ b/other/ensure-production-matches-staging/ensure-production-matches-staging.yaml @@ -19,7 +19,7 @@ metadata: that a production Deployment uses same image name as its staging counterpart. Third, that a production Deployment uses an older or equal image version as its staging counterpart. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: ####################### diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml index fdc2f51a7..9668eb938 100755 --- a/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: ensure-readonly-hostpath status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml index 5fe35235e..f6456022d 100755 --- a/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml +++ b/other/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../ensure-readonly-hostpath.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: ensure-readonly-hostpath - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../ensure-readonly-hostpath.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -63,3 +55,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: ensure-readonly-hostpath diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml index dcdc4db2f..be0eb2e1f 100644 --- a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-bad.yaml @@ -17,7 +17,7 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -27,7 +27,7 @@ spec: readOnly: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -52,7 +52,7 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -62,7 +62,7 @@ spec: readOnly: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml index 6dd0a61a9..ca7f558d4 100644 --- a/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml +++ b/other/ensure-readonly-hostpath/.chainsaw-test/podcontrollers-good.yaml @@ -17,7 +17,7 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -27,7 +27,7 @@ spec: readOnly: true containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -52,7 +52,7 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -62,7 +62,7 @@ spec: readOnly: true containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml index 098219015..9430edd30 100644 --- a/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml +++ b/other/ensure-readonly-hostpath/.chainsaw-test/pods-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -15,7 +15,7 @@ spec: readOnly: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo diff --git a/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml b/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml index ca5ccf2da..584c6ce57 100644 --- a/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml +++ b/other/ensure-readonly-hostpath/.chainsaw-test/pods-good.yaml @@ -5,7 +5,7 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo @@ -15,7 +15,7 @@ spec: readOnly: true containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /some/dir name: foo diff --git a/other/ensure-readonly-hostpath/artifacthub-pkg.yml b/other/ensure-readonly-hostpath/artifacthub-pkg.yml index afedd2a09..c4f72ff42 100644 --- a/other/ensure-readonly-hostpath/artifacthub-pkg.yml +++ b/other/ensure-readonly-hostpath/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 52ca1a643fa89897e705f538f3596746bec87e87944029462efc04f82b8c4d3c +digest: f0e22c25527bc05172373d719f5ffd924c155c68edf62a6ff2650633e1ce2f2b diff --git a/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml b/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml index d98a13a5e..cc1e68891 100644 --- a/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml +++ b/other/ensure-readonly-hostpath/ensure-readonly-hostpath.yaml @@ -19,7 +19,7 @@ metadata: explicitly mounted in readOnly mode. spec: background: false - validationFailureAction: Audit + validationFailureAction: audit rules: - name: ensure-hostpaths-readonly match: diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml index d5c98b767..451f8163f 100755 --- a/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: exclude-namespaces-example status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml index 642e6e17b..81853179b 100755 --- a/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml +++ b/other/exclude-namespaces-dynamically/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: cm.yaml - apply: file: ns.yaml - - apply: - file: ../exclude-namespaces-dynamically.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: exclude-namespaces-example - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../exclude-namespaces-dynamically.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -40,3 +32,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: exclude-namespaces-example diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml index 66aef86b3..78823c79e 100644 --- a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml +++ b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -15,7 +15,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -26,4 +26,4 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml index c178e57d9..e546e8044 100644 --- a/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml +++ b/other/exclude-namespaces-dynamically/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,7 +16,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -28,7 +28,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -40,4 +40,4 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml index a81ce69fb..931d85e11 100644 --- a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml +++ b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob diff --git a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml index 51a980cef..82e0c8a36 100644 --- a/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml +++ b/other/exclude-namespaces-dynamically/.chainsaw-test/podcontroller-good.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -40,7 +40,7 @@ spec: spec: containers: - name: bb-01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob diff --git a/other/exclude-namespaces-dynamically/artifacthub-pkg.yml b/other/exclude-namespaces-dynamically/artifacthub-pkg.yml index b665ce838..c4f9e347b 100644 --- a/other/exclude-namespaces-dynamically/artifacthub-pkg.yml +++ b/other/exclude-namespaces-dynamically/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Namespace, Pod" -digest: 12d7c34e85b599c26ee72d4fb193ee5cf13b27aa2a89eb74c5cd96538129e384 +digest: 17334323ddbfbe02d198f36d3d68f7fbd04285583750b1a171e4e461142a8e72 diff --git a/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml b/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml index f1cc90120..fc92fa013 100644 --- a/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml +++ b/other/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml @@ -17,7 +17,7 @@ metadata: where the ConfigMap stores an array of strings. This policy validates that any Pods created outside of the list of Namespaces have the label `foo` applied. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: exclude-namespaces-dynamically diff --git a/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 6db4eed04..b96d2cb6d 100755 --- a/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: forbid-cpu-limits status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml index 7f6d2df88..cc5969152 100755 --- a/other/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml +++ b/other/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../forbid-cpu-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: forbid-cpu-limits - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../forbid-cpu-limits.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: forbid-cpu-limits diff --git a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml index 06dd9181c..1dad16455 100644 --- a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-bad.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: @@ -41,12 +41,12 @@ spec: spec: containers: - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: 10m - name: webserver2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: 10m @@ -65,7 +65,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: @@ -87,12 +87,12 @@ spec: spec: containers: - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: 10m - name: webserver2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: 10m diff --git a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml index e0838c14b..86af67ba5 100644 --- a/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml +++ b/other/forbid-cpu-limits/.chainsaw-test/podcontrollers-good.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -37,7 +37,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: @@ -57,7 +57,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure --- @@ -75,7 +75,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: diff --git a/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml b/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml index 62296d928..84a73e9da 100644 --- a/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml +++ b/other/forbid-cpu-limits/.chainsaw-test/pods-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: 10m @@ -17,12 +17,12 @@ metadata: spec: containers: - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: 10m - name: webserver2 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: 10m \ No newline at end of file diff --git a/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml b/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml index 1159a3cb1..b0aba2e9b 100644 --- a/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml +++ b/other/forbid-cpu-limits/.chainsaw-test/pods-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: webserver1 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: 10m \ No newline at end of file diff --git a/other/generate-networkpolicy-existing/.chainsaw-test/chainsaw-test.yaml b/other/generate-networkpolicy-existing/.chainsaw-test/chainsaw-test.yaml index 82d895324..e9a968e82 100755 --- a/other/generate-networkpolicy-existing/.chainsaw-test/chainsaw-test.yaml +++ b/other/generate-networkpolicy-existing/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml b/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml index ffd14ee7d..841a8d9c6 100644 --- a/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml +++ b/other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: generate-networkpolicy-existing status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/generate-networkpolicy-existing/artifacthub-pkg.yml b/other/generate-networkpolicy-existing/artifacthub-pkg.yml index 250dcff9a..a681e1d91 100644 --- a/other/generate-networkpolicy-existing/artifacthub-pkg.yml +++ b/other/generate-networkpolicy-existing/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Namespace, NetworkPolicy" -digest: 4b22640f313949b16d47e144996489a7070e952b06e68f3ad1dc9ee5e013d976 +digest: 4cf8c5f46d007fdeb4f4da902003f65cbf9c783458ec752c342e5521eccf8c38 diff --git a/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml b/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml index cbb2069d4..27bfa2c27 100644 --- a/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml +++ b/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml @@ -17,7 +17,7 @@ metadata: is additional overhead. This policy creates a new NetworkPolicy for existing Namespaces which results in a default deny behavior and labels it with created-by=kyverno. spec: - generateExisting: true + generateExistingOnPolicyUpdate: true rules: - name: generate-existing-networkpolicy match: diff --git a/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml b/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml deleted file mode 100644 index a859882c4..000000000 --- a/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: background-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - name: kyverno:background-controller-generate -rules: -- apiGroups: ["batch"] - resources: ["jobs"] - verbs: ["create", "get", "list", "watch", "update", "delete"] \ No newline at end of file diff --git a/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml b/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml deleted file mode 100644 index 44ee0edaf..000000000 --- a/other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pod-reader -rules: -- apiGroups: [""] - resources: ["pods", "pods/log", "events"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: read-pods-rolebinding -subjects: -- kind: Group - name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: pod-reader - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/other/get-debug-information/.chainsaw-test/chainsaw-test.yaml b/other/get-debug-information/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index e7fbf93f1..000000000 --- a/other/get-debug-information/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: get-debug-data -spec: - steps: - - name: step-00 - try: - - apply: - file: chainsaw-step-00-apply-1.yaml - - apply: - file: chainsaw-step-00-apply-2.yaml - - name: step-01 - try: - - script: - content: | - if kubectl get configmap kyverno -n kyverno -o jsonpath='{.data.excludeGroups}' | grep -q 'system:nodes'; then - kubectl patch configmap kyverno -n kyverno --type=json -p='[{"op": "remove", "path": "/data/excludeGroups"}]' - else - echo "excludeGroups: system:nodes does not exist in the configmap." - fi - - name: step-02 - try: - - apply: - file: ../get-debug-information.yaml - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - apply: - file: ns.yaml - - apply: - file: depl-readonlyrootfs.yaml - - name: step-04 - try: - - sleep: - duration: 60s - - assert: - resource: - apiVersion: batch/v1 - kind: Job - metadata: - labels: - app.kubernetes.io/managed-by: kyverno - deleteme: allow - namespace: abc diff --git a/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml b/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml deleted file mode 100644 index e3ff69fc8..000000000 --- a/other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-deployment - namespace: abc -spec: - replicas: 1 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx-container - image: ghcr.io/kyverno/test-nginx:latest - ports: - - containerPort: 80 - securityContext: - readOnlyRootFilesystem: true diff --git a/other/get-debug-information/.chainsaw-test/ns.yaml b/other/get-debug-information/.chainsaw-test/ns.yaml deleted file mode 100644 index 857153708..000000000 --- a/other/get-debug-information/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: abc \ No newline at end of file diff --git a/other/get-debug-information/.chainsaw-test/policy-ready.yaml b/other/get-debug-information/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index ca82aaca0..000000000 --- a/other/get-debug-information/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: get-debug-data-policy -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/get-debug-information/artifacthub-pkg.yml b/other/get-debug-information/artifacthub-pkg.yml deleted file mode 100644 index 31c2f8884..000000000 --- a/other/get-debug-information/artifacthub-pkg.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: get-debug-information -version: 1.0.0 -displayName: Collect debug information for pods in crashloopback -createdAt: "2024-07-25T20:30:05.000Z" -description: "This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data." -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/get-debug-information/get-debug-information.yaml - ``` -keywords: -- kyverno -- Sample -readme: | - This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample" - kyverno/subject: "Pod" -digest: 757b80d042c3ab9dd959ab6086205cd4585474a6672a13d8738ce91f4e3c491a diff --git a/other/get-debug-information/get-debug-information.yaml b/other/get-debug-information/get-debug-information.yaml deleted file mode 100644 index 728661b0c..000000000 --- a/other/get-debug-information/get-debug-information.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: get-debug-data-policy - annotations: - policies.kyverno.io/title: Collect Debug Information for Pods in CrashLoopBackOff - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.5 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/description: >- - This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy in addition to the necessary RBAC resources required in order for this policy to operate, see the documentation at https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data. -spec: - rules: - - name: get-debug-data-policy-rule - match: - any: - - resources: - kinds: - - v1/Pod.status - context: - - name: pdcount - apiCall: - urlPath: "/api/v1/namespaces/{{request.namespace}}/pods?labelSelector=requestpdname=pod-{{request.object.metadata.name}}" - jmesPath: "items | length(@)" - preconditions: - all: - - key: "{{ sum(request.object.status.containerStatuses[*].restartCount || `0`) }}" - operator: Equals - value: 3 - - key: "{{ request.object.metadata.labels.deleteme || 'empty' }}" - operator: Equals - value: "empty" - - key: "{{ pdcount }}" - operator: Equals - value: 0 - generate: - apiVersion: batch/v1 - kind: Job - name: get-debug-data-{{request.object.metadata.name}}-{{ random('[0-9a-z]{8}') }} - namespace: "{{request.namespace}}" - synchronize: false - data: - metadata: - labels: - deleteme: allow - spec: - template: - metadata: - labels: - app: my-app - deleteme: allow - requestpdname: "pod-{{request.object.metadata.name}}" - spec: - restartPolicy: OnFailure - containers: - - name: my-container - image: sagarkundral/my-python-app:v52 - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: token - readOnly: true - args: - - "/app/get-debug-jira-v2.sh" - - "{{request.namespace}}" - - "{{request.object.metadata.name}}" - serviceAccount: default # This serviceaccount needs the necessary RBAC in order for the policy to operate. - volumes: - - name: token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt diff --git a/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml index c1acbab53..adbe3c664 100755 --- a/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: imagepullpolicy-always status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml index 57afc7d19..2153e9b4f 100755 --- a/other/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml +++ b/other/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../imagepullpolicy-always.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: imagepullpolicy-always - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../imagepullpolicy-always.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: imagepullpolicy-always diff --git a/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml b/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml index c7d92a9ac..eb6883232 100644 --- a/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml +++ b/other/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Never --- apiVersion: v1 @@ -15,7 +15,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox + image: busybox imagePullPolicy: IfNotPresent --- apiVersion: v1 @@ -25,10 +25,10 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Always - name: pod02 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: IfNotPresent --- apiVersion: v1 @@ -38,7 +38,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Never - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml b/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml index 9972b1147..65f5d474f 100644 --- a/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml +++ b/other/imagepullpolicy-always/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox # by default, imagePullPolicy: Always + image: busybox # by default, imagePullPolicy: Always --- apiVersion: v1 kind: Pod @@ -23,7 +23,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest # by default, imagePullPolicy: Always + image: busybox:latest # by default, imagePullPolicy: Always --- apiVersion: v1 kind: Pod @@ -32,7 +32,7 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Always --- apiVersion: v1 @@ -42,10 +42,10 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Always - name: pod02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -54,8 +54,8 @@ metadata: spec: containers: - name: pod01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullPolicy: IfNotPresent - name: pod02 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Always \ No newline at end of file diff --git a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml index 564bb7694..770e5393e 100644 --- a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml +++ b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml @@ -17,12 +17,12 @@ spec: spec: containers: - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb02 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Never - name: bb03 - image: ghcr.io/kyverno/test-busybox + image: busybox imagePullPolicy: IfNotPresent --- apiVersion: batch/v1 @@ -37,11 +37,11 @@ spec: spec: containers: - name: bb01 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest imagePullPolicy: Never - name: bb02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb03 - image: ghcr.io/kyverno/test-busybox + image: busybox imagePullPolicy: IfNotPresent restartPolicy: OnFailure \ No newline at end of file diff --git a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml index ceb81f45d..4499d5b17 100644 --- a/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml +++ b/other/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml @@ -17,11 +17,11 @@ spec: spec: containers: - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb02 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest - name: bb03 - image: ghcr.io/kyverno/test-busybox + image: busybox --- apiVersion: batch/v1 kind: CronJob @@ -35,9 +35,9 @@ spec: spec: containers: - name: bb01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: bb02 - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest - name: bb03 - image: ghcr.io/kyverno/test-busybox + image: busybox restartPolicy: OnFailure \ No newline at end of file diff --git a/other/imagepullpolicy-always/artifacthub-pkg.yml b/other/imagepullpolicy-always/artifacthub-pkg.yml index 24d2808fe..a88ed1308 100644 --- a/other/imagepullpolicy-always/artifacthub-pkg.yml +++ b/other/imagepullpolicy-always/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: fec07496bb0b042077300e6235dfcc21ef12fc1a7c6b79f1babba998003e7300 +digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d diff --git a/other/imagepullpolicy-always/imagepullpolicy-always.yaml b/other/imagepullpolicy-always/imagepullpolicy-always.yaml index 52db3842c..874c8ce01 100644 --- a/other/imagepullpolicy-always/imagepullpolicy-always.yaml +++ b/other/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -14,7 +14,7 @@ metadata: pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: imagepullpolicy-always diff --git a/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml index b738b5dbb..1bd8a2c79 100755 --- a/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: ingress-host-match-tls status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml index ee51f40cf..4bec70ba0 100755 --- a/other/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml +++ b/other/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../ingress-host-match-tls.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: ingress-host-match-tls - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../ingress-host-match-tls.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: ingress-host-match-tls diff --git a/other/ingress-host-match-tls/artifacthub-pkg.yml b/other/ingress-host-match-tls/artifacthub-pkg.yml index 1fdf77798..a13df750e 100644 --- a/other/ingress-host-match-tls/artifacthub-pkg.yml +++ b/other/ingress-host-match-tls/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.20, 1.21" kyverno/subject: "Ingress" -digest: fbb6f531a3606b90ebea9d245a23c1b0a47e8d1be91f31493e9047edb3fb608b +digest: 3f3af746f48800ebfdb337b428125c1421f29d91161ab34a0fd8e2225913dbb3 diff --git a/other/ingress-host-match-tls/ingress-host-match-tls.yaml b/other/ingress-host-match-tls/ingress-host-match-tls.yaml index 0c7718224..bf65c827b 100644 --- a/other/ingress-host-match-tls/ingress-host-match-tls.yaml +++ b/other/ingress-host-match-tls/ingress-host-match-tls.yaml @@ -18,7 +18,7 @@ metadata: in the list of TLS hosts. spec: background: false - validationFailureAction: Audit + validationFailureAction: audit rules: - name: host-match-tls match: diff --git a/other/inject-env-var-from-image-label/.chainsaw-test/chainsaw-test.yaml b/other/inject-env-var-from-image-label/.chainsaw-test/chainsaw-test.yaml index 29804d8e6..4de16a36e 100755 --- a/other/inject-env-var-from-image-label/.chainsaw-test/chainsaw-test.yaml +++ b/other/inject-env-var-from-image-label/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml b/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml index 8a841029b..5fa437cba 100644 --- a/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml +++ b/other/inject-env-var-from-image-label/.chainsaw-test/kuttlresource.yaml @@ -6,4 +6,4 @@ metadata: spec: containers: - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 + image: docker.io/nginx@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 diff --git a/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml b/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml index 0264b848c..20e440496 100644 --- a/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml +++ b/other/inject-env-var-from-image-label/.chainsaw-test/resource-mutated.yaml @@ -8,5 +8,5 @@ spec: - env: - name: MAINTAINER value: NGINX Docker Maintainers - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 + image: docker.io/nginx@sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94 name: nginx \ No newline at end of file diff --git a/other/inject-sidecar-deployment/.chainsaw-test/chainsaw-test.yaml b/other/inject-sidecar-deployment/.chainsaw-test/chainsaw-test.yaml index 97c047883..7d75691ac 100755 --- a/other/inject-sidecar-deployment/.chainsaw-test/chainsaw-test.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml index 4ff38b2a0..33bfae1b8 100644 --- a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched01.yaml @@ -21,7 +21,7 @@ spec: volumeMounts: - mountPath: /vault/secrets name: vault-secret - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox initContainers: - image: vault:1.5.4 diff --git a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml index 1765d4960..4cd10f8fd 100644 --- a/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/deploy-patched02.yaml @@ -21,7 +21,7 @@ spec: volumeMounts: - mountPath: /vault/secrets name: vault-secret - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox initContainers: - image: vault:1.5.4 @@ -30,7 +30,7 @@ spec: volumeMounts: - mountPath: /vault/secrets name: vault-secret - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumes: - emptyDir: diff --git a/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml b/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml index f49094cae..f9d12fcf4 100644 --- a/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/deploy.yaml @@ -15,7 +15,7 @@ spec: vault.hashicorp.com/agent-inject: "true" spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -35,7 +35,7 @@ spec: vault.hashicorp.com/agent-inject: "false" spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -53,7 +53,7 @@ spec: app: myapp spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -73,8 +73,8 @@ spec: vault.hashicorp.com/agent-inject: "true" spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml index 5e8e7684f..0f17b48d4 100644 --- a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched02.yaml @@ -21,7 +21,7 @@ spec: volumeMounts: - mountPath: /vault/secrets name: vault-secret - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox initContainers: - image: vault:1.5.4 diff --git a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml index 421b47a5b..f4561dc34 100644 --- a/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/not-deploy-patched03.yaml @@ -21,7 +21,7 @@ spec: volumeMounts: - mountPath: /vault/secrets name: vault-secret - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox initContainers: - image: vault:1.5.4 diff --git a/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml b/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml index e0e72cd24..e533267bc 100644 --- a/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml +++ b/other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: inject-sidecar status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml b/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml index b5098eafd..6de86b957 100755 --- a/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml +++ b/other/inspect-csr/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,8 +11,6 @@ spec: content: | #!/bin/bash set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp export USERNAME=inspect-csr-user export CA=ca.crt #### Get CA certificate from kubeconfig assuming it's the first in the list. @@ -49,18 +46,18 @@ spec: kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER # Delete CSR kubectl delete csr $USERNAME - - apply: - file: permissions.yaml + - name: step-02 + try: - apply: file: ../inspect-csr.yaml - apply: file: crolb-user.yaml - assert: file: policy-ready.yaml + - name: step-03 + try: - script: content: | - set -eu - export KUBECONFIG=./temp cat <- - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents - all voluntary evictions including Node drains which may impact maintenance tasks. - This may be acceptable if there are no matching controllers, but if there are then - creation of such a PDB could allow unintended disruption. This policy enforces that - a PodDisruptionBudget may not specify the maxUnavailable field as zero if there are - any existing matching Deployments having greater than zero replicas. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments.yaml - ``` -keywords: - - kyverno - - Sample -readme: | - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents - all voluntary evictions including Node drains which may impact maintenance tasks. - This may be acceptable if there are no matching controllers, but if there are then - creation of such a PDB could allow unintended disruption. This policy enforces that - a PodDisruptionBudget may not specify the maxUnavailable field as zero if there are - any existing matching Deployments having greater than zero replicas. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "PodDisruptionBudget,Deployment" -digest: f3ee077bec9cb034e001e4a24451562e8de6edc4a5cdc31ac33cf7bc89b12e20 diff --git a/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments.yaml b/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments.yaml deleted file mode 100644 index 9f9d0617a..000000000 --- a/other/pdb-maxunavailable-with-deployments/pdb-maxunavailable-with-deployments.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: pdb-maxunavailable-with-deployments - annotations: - policies.kyverno.io/title: PodDisruptionBudget maxUnavailable Non-Zero with Deployments - policies.kyverno.io/category: Other - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: PodDisruptionBudget, Deployment - policies.kyverno.io/description: >- - A PodDisruptionBudget which sets its maxUnavailable value to zero prevents - all voluntary evictions including Node drains which may impact maintenance tasks. - This may be acceptable if there are no matching controllers, but if there are then - creation of such a PDB could allow unintended disruption. This policy enforces that - a PodDisruptionBudget may not specify the maxUnavailable field as zero if there are - any existing matching Deployments having greater than zero replicas. -spec: - validationFailureAction: Audit - background: false - rules: - - name: pdb-maxunavailable - match: - any: - - resources: - kinds: - - PodDisruptionBudget - operations: - - CREATE - - UPDATE - context: - - name: deploymentreplicas - apiCall: - jmesPath: items[?label_match(`{{request.object.spec.selector.matchLabels}}`, spec.template.metadata.labels)] || `[]` - urlPath: /apis/apps/v1/namespaces/{{request.namespace}}/deployments - preconditions: - all: - - key: '{{ regex_match(''^[0-9]+$'', ''{{ request.object.spec.maxUnavailable || ''''}}'') }}' - operator: Equals - value: true - - key: '{{ length(deploymentreplicas) }}' - operator: GreaterThan - value: 0 - validate: - message: >- - PodDisruptionBudget must not specify maxUnavailable as zero if there are any existing matching Deployments which - have replicas numbering greater than zero. There are {{ length(deploymentreplicas) }} Deployments which match this labelSelector - having {{ deploymentreplicas[*].spec.replicas }} replicas. - foreach: - - list: deploymentreplicas - deny: - conditions: - all: - - key: "{{ request.object.spec.maxUnavailable }}" - operator: LessThan - value: "{{ element.spec.replicas }}" diff --git a/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 293c82b88..5cdc2b1cc 100755 --- a/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: pdb-maxunavailable status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml index 506f80b2e..c04fc6c45 100755 --- a/other/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml +++ b/other/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../pdb-maxunavailable.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: pdb-maxunavailable - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../pdb-maxunavailable.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: pdb-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: pdb-maxunavailable diff --git a/other/pdb-maxunavailable/artifacthub-pkg.yml b/other/pdb-maxunavailable/artifacthub-pkg.yml index 4ccb6065b..6c0ffacd2 100644 --- a/other/pdb-maxunavailable/artifacthub-pkg.yml +++ b/other/pdb-maxunavailable/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "PodDisruptionBudget" -digest: 5d77f56fc16217f79de484881ef63e5dd61b8e4e9befce9d57c9269d508f01eb +digest: d7acf0213b5530e922ca29674342a359b09e0b34afded7c321363e4c6f45a84c diff --git a/other/pdb-maxunavailable/pdb-maxunavailable.yaml b/other/pdb-maxunavailable/pdb-maxunavailable.yaml index 74aea2068..b26a8c354 100644 --- a/other/pdb-maxunavailable/pdb-maxunavailable.yaml +++ b/other/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -14,7 +14,7 @@ metadata: This policy enforces that if a PodDisruptionBudget specifies the maxUnavailable field it must be greater than zero. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: pdb-maxunavailable diff --git a/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml index bbf99fddc..f781cbce7 100755 --- a/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: pdb-minavailable-check status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/pdb-minavailable/.chainsaw-test/chainsaw-test.yaml b/other/pdb-minavailable/.chainsaw-test/chainsaw-test.yaml index fe3ca49bc..5dc45609f 100755 --- a/other/pdb-minavailable/.chainsaw-test/chainsaw-test.yaml +++ b/other/pdb-minavailable/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: pdb.yaml - - apply: - file: ../pdb-minavailable.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: pdb-minavailable-check - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../pdb-minavailable.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: ss-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: pdb-minavailable-check diff --git a/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml b/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml index 1f09ebbf0..fa348fd11 100644 --- a/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml +++ b/other/pdb-minavailable/.chainsaw-test/ss-bad.yaml @@ -16,4 +16,4 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/other/pdb-minavailable/.chainsaw-test/ss-good.yaml b/other/pdb-minavailable/.chainsaw-test/ss-good.yaml index 17a21a459..c294a8a93 100644 --- a/other/pdb-minavailable/.chainsaw-test/ss-good.yaml +++ b/other/pdb-minavailable/.chainsaw-test/ss-good.yaml @@ -16,7 +16,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- # Workload is not in PDB namespace. apiVersion: apps/v1 @@ -36,7 +36,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- # Workload does not match PDB selector. apiVersion: apps/v1 @@ -57,7 +57,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- # Workload has 0 replicas and is not in PDB namespace. apiVersion: apps/v1 @@ -77,4 +77,4 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/other/pdb-minavailable/artifacthub-pkg.yml b/other/pdb-minavailable/artifacthub-pkg.yml index 9e6e3fed9..bb8be578f 100644 --- a/other/pdb-minavailable/artifacthub-pkg.yml +++ b/other/pdb-minavailable/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "PodDisruptionBudget, Deployment, StatefulSet" -digest: c1a7a9d5dfb23c4b6bcfc6bc3d0add8811e7d7967c4d5856c6ff692b16f3ef31 +digest: f6f12d2b34642666ce110807b85756d86012a840a15f236c53e2a4866347b628 diff --git a/other/pdb-minavailable/pdb-minavailable.yaml b/other/pdb-minavailable/pdb-minavailable.yaml index 8c2c09737..ef8c1d896 100644 --- a/other/pdb-minavailable/pdb-minavailable.yaml +++ b/other/pdb-minavailable/pdb-minavailable.yaml @@ -15,7 +15,7 @@ metadata: tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have a matching PodDisruptionBudget to ensure these two values do not match. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: pdb-minavailable diff --git a/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 97b3403b7..b86d64eb2 100755 --- a/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: policy-for-exceptions status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/policy-for-exceptions/.chainsaw-test/chainsaw-test.yaml b/other/policy-for-exceptions/.chainsaw-test/chainsaw-test.yaml index f45468a22..ba3f5c272 100755 --- a/other/policy-for-exceptions/.chainsaw-test/chainsaw-test.yaml +++ b/other/policy-for-exceptions/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../policy-for-exceptions.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: policy-for-exceptions - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../policy-for-exceptions.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: policy-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: policy-for-exceptions diff --git a/other/prepend-image-registry/.chainsaw-test/chainsaw-test.yaml b/other/prepend-image-registry/.chainsaw-test/chainsaw-test.yaml index a22ba5856..f40b9ba92 100755 --- a/other/prepend-image-registry/.chainsaw-test/chainsaw-test.yaml +++ b/other/prepend-image-registry/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 4b2a40e77..34cc2d581 100755 --- a/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: prevent-bare-pods status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml index 00047a5d0..5b109971d 100755 --- a/other/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../prevent-bare-pods.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-bare-pods - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../prevent-bare-pods.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -35,12 +27,27 @@ spec: file: deployment.yaml - name: step-03 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - script: content: | if [ $(kubectl get pods -n prevent-naked-pods-ns | grep gooddeployment01 | wc -l) -gt 0 ]; then exit 0; else exit 1; fi - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n prevent-naked-pods-ns + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: prevent-bare-pods + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - prevent-naked-pods-ns + entrypoint: kubectl diff --git a/other/prevent-bare-pods/.chainsaw-test/deployment.yaml b/other/prevent-bare-pods/.chainsaw-test/deployment.yaml index 69f5ff774..8ddcca3cc 100644 --- a/other/prevent-bare-pods/.chainsaw-test/deployment.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/deployment.yaml @@ -18,5 +18,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "30"] \ No newline at end of file diff --git a/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml b/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml index 94d7c7119..be458efe5 100644 --- a/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml index 95edb3b2c..649c25ce4 100644 --- a/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml +++ b/other/prevent-bare-pods/.chainsaw-test/pod-good.yaml @@ -6,8 +6,8 @@ metadata: kind: Deployment name: gooddeployment01 uid: "foo-bar" - name: goodpod01 + name: godpod01 spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml b/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 1a43a336b..000000000 --- a/other/prevent-bare-pods/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-bare-pods -policies: -- ../prevent-bare-pods.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -results: -- policy: prevent-bare-pods - rule: bare-pods - kind: Pod - resources: - - badpod01 - result: fail -- policy: prevent-bare-pods - rule: bare-pods - kind: Pod - resources: - - goodpod01 - result: pass - diff --git a/other/prevent-bare-pods/artifacthub-pkg.yml b/other/prevent-bare-pods/artifacthub-pkg.yml index c6c3aadc4..8eb457c4c 100644 --- a/other/prevent-bare-pods/artifacthub-pkg.yml +++ b/other/prevent-bare-pods/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Other, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 533a2a23fe80fcd7b5337c209848b1bc4dfb325c28e315a53ec1cd925a087c22 +digest: 3dcbd8d5c7a049035f8eb9c927348db667a6a5fd11a1ddd80e36b0588c6152ea diff --git a/other/prevent-bare-pods/prevent-bare-pods.yaml b/other/prevent-bare-pods/prevent-bare-pods.yaml index 52ff27a31..ec9c7d4a3 100644 --- a/other/prevent-bare-pods/prevent-bare-pods.yaml +++ b/other/prevent-bare-pods/prevent-bare-pods.yaml @@ -17,7 +17,7 @@ metadata: This policy prevents such "bare" Pods from being created unless they originate from a higher-level workload controller of some sort. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: bare-pods diff --git a/other/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml b/other/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml index 5c9e73868..ef97704d1 100755 --- a/other/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml +++ b/other/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml b/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml index 61ca05d85..28649c6d3 100644 --- a/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml +++ b/other/prevent-cr8escape/.chainsaw-test/podcontroller-bad.yaml @@ -23,7 +23,7 @@ spec: value: "foo=bar" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -43,5 +43,5 @@ spec: value: "foo" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml b/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml index 0286eded7..f919b1592 100644 --- a/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml +++ b/other/prevent-cr8escape/.chainsaw-test/podcontroller-good.yaml @@ -23,7 +23,7 @@ spec: value: "foo" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -43,5 +43,5 @@ spec: value: "foo" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml b/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml index d85d45d09..6ef434f4a 100644 --- a/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml +++ b/other/prevent-cr8escape/.chainsaw-test/pods-bad.yaml @@ -11,7 +11,7 @@ spec: value: "foo" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -26,4 +26,4 @@ spec: value: "foo=bar" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml b/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml index 2281fcfca..c7519c65f 100644 --- a/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml +++ b/other/prevent-cr8escape/.chainsaw-test/pods-good.yaml @@ -11,18 +11,18 @@ spec: value: "foo" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod metadata: name: goodpod02 spec: + securityContext: + allowPrivilegeEscalation: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -31,4 +31,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml b/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml index b9bb93bba..e9dae26dc 100644 --- a/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml +++ b/other/prevent-cr8escape/.kyverno-test/kyverno-test.yaml @@ -1,7 +1,7 @@ apiVersion: cli.kyverno.io/v1alpha1 kind: Test metadata: - name: prevent-cr8escape + name: restrict- policies: - ../prevent-cr8escape.yaml resources: diff --git a/other/prevent-cr8escape/artifacthub-pkg.yml b/other/prevent-cr8escape/artifacthub-pkg.yml index 203aee69d..078babb4f 100644 --- a/other/prevent-cr8escape/artifacthub-pkg.yml +++ b/other/prevent-cr8escape/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: dee90f00f10e3d43caca49f65b30c3977a0350e6fc9a4cdc103dc35d64dcc32d +digest: 67a50e864bbb6fae4b125140c3c19fd42f87a6b2b95f0ce269e6ee6128e81932 diff --git a/other/prevent-cr8escape/prevent-cr8escape.yaml b/other/prevent-cr8escape/prevent-cr8escape.yaml index c911bb9ec..2b49dd16d 100644 --- a/other/prevent-cr8escape/prevent-cr8escape.yaml +++ b/other/prevent-cr8escape/prevent-cr8escape.yaml @@ -16,7 +16,7 @@ metadata: and gain root access to the host. The recommended remediation is to disallow sysctl settings with + or = in their value. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: restrict-sysctls-cr8escape @@ -26,9 +26,9 @@ spec: kinds: - Pod validate: - message: "characters '+' or '=' are not allowed in sysctls values" + message: "characters '+' or '=' are not allowed in sysctls values" pattern: spec: =(securityContext): =(sysctls): - - =(value): "!*+* & !*=*" + - =(value): "!*+* & !*=*" \ No newline at end of file diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml deleted file mode 100644 index c9c7eb1d7..000000000 --- a/other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: bad-httpd-hpa -spec: - maxReplicas: 3 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: httpd-deployment - targetCPUUtilizationPercentage: 50 diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 77903eb72..000000000 --- a/other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-duplicate-hpa -spec: - steps: - - name: 01 - Create policy and Enforce - try: - - apply: - file: ../prevent-duplicate-hpa.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-duplicate-hpa - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create some unique HPAs - try: - - apply: - file: prereq.yaml - - name: 03 - Try to create duplicate HPAs - try: - - apply: - file: bad.yaml - expect: - - check: - ($error != null): true - - name: 04 - Create new unique HPAs - try: - - apply: - file: good.yaml diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/good.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/good.yaml deleted file mode 100644 index 19c4309c2..000000000 --- a/other/prevent-duplicate-hpa/.chainsaw-test/good.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: good-hpa -spec: - maxReplicas: 3 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: redis-deployment - targetCPUUtilizationPercentage: 50 diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index a5dd0d042..000000000 --- a/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-duplicate-hpa -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml deleted file mode 100644 index c399889fc..000000000 --- a/other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: httpd-hpa-exist -spec: - maxReplicas: 3 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: httpd-deployment - targetCPUUtilizationPercentage: 50 diff --git a/other/prevent-duplicate-hpa/artifacthub-pkg.yml b/other/prevent-duplicate-hpa/artifacthub-pkg.yml deleted file mode 100644 index 6431e6018..000000000 --- a/other/prevent-duplicate-hpa/artifacthub-pkg.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: prevent-duplicate-hpa -version: 1.0.0 -displayName: Prevent Duplicate HorizontalPodAutoscalers -createdAt: "2024-07-22T12:35:30Z" -description: >- - HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment - or replication controller. It requires defining a specific target resource by kind and name. - There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs - which target the same resource. This policy has two rules, the first of which ensures that the only targetRef - kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second - prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml - ``` -keywords: - - kyverno - - other -readme: | - HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment - or replication controller. It requires defining a specific target resource by kind and name. - There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs - which target the same resource. This policy has two rules, the first of which ensures that the only targetRef - kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second - prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "HorizontalPodAutoscaler" -digest: 32b4d593d3efa4b433dcc54f76aaaf140f3d654a3905261718ab89155930d880 diff --git a/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml b/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml deleted file mode 100644 index ac625ce65..000000000 --- a/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-duplicate-hpa - annotations: - policies.kyverno.io/title: Prevent Duplicate HorizontalPodAutoscalers - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: HorizontalPodAutoscaler - policies.kyverno.io/description: >- - HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment - or replication controller. It requires defining a specific target resource by kind and name. - There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs - which target the same resource. This policy has two rules, the first of which ensures that the only targetRef - kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second - prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource. -spec: - validationFailureAction: Audit - background: false - rules: - - name: verify-kind-name-duplicates - match: - any: - - resources: - kinds: - - HorizontalPodAutoscaler - operations: - - CREATE - validate: - message: >- - The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet. - pattern: - spec: - scaleTargetRef: - kind: Deployment | StatefulSet | ReplicaSet | DaemonSet - - name: check-targetref-duplicates - match: - any: - - resources: - kinds: - - HorizontalPodAutoscaler - operations: - - CREATE - preconditions: - all: - - key: - - Deployment - - StatefulSet - - ReplicaSet - - DaemonSet - operator: AnyIn - value: "{{ request.object.spec.scaleTargetRef.kind }}" - context: - - name: targets - apiCall: - urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers" - jmesPath: "items[?spec.scaleTargetRef.kind=='{{ request.object.spec.scaleTargetRef.kind }}'].spec.scaleTargetRef.name" - validate: - message: >- - The target {{ request.object.spec.scaleTargetRef.kind }} named - {{ request.object.spec.scaleTargetRef.name }} already has an existing - HPA configured for it. Duplicate HPAs are not allowed. - deny: - conditions: - all: - - key: "{{ request.object.spec.scaleTargetRef.name }}" - operator: AnyIn - value: "{{ targets }}" diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/bad.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/bad.yaml deleted file mode 100644 index 1afb8c67f..000000000 --- a/other/prevent-duplicate-vpa/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: new-bad01 -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: new-bad02 -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: nginx - updatePolicy: - updateMode: Auto diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index f34e01f60..000000000 --- a/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: prevent-duplicate-vpa -spec: - steps: - - name: 01 - Create policy and Enforce - try: - - apply: - file: permissions.yaml - - apply: - file: ../prevent-duplicate-vpa.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: prevent-duplicate-vpa - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create some unique VPAs - try: - - apply: - file: prereq.yaml - - name: 03 - Try to create duplicate VPAs - try: - - apply: - file: bad.yaml - expect: - - check: - ($error != null): true - - name: 04 - Create new unique VPAs - try: - - apply: - file: good.yaml diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/good.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/good.yaml deleted file mode 100644 index e48fb769d..000000000 --- a/other/prevent-duplicate-vpa/.chainsaw-test/good.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: new-good01 -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: redis - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: new-good02 -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: circleci - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: new-good03 -spec: - targetRef: - apiVersion: apps/v1 - kind: DaemonSet - name: foobar - updatePolicy: - updateMode: Auto diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml deleted file mode 100644 index 6b20b3c83..000000000 --- a/other/prevent-duplicate-vpa/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:vpa - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" -rules: -- apiGroups: - - autoscaling.k8s.io - resources: - - verticalpodautoscalers - verbs: - - get - - list - - watch \ No newline at end of file diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 3cda7d5f4..000000000 --- a/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-duplicate-vpa -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/prereq.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/prereq.yaml deleted file mode 100644 index 58fbcd54a..000000000 --- a/other/prevent-duplicate-vpa/.chainsaw-test/prereq.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: exist01 -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: exist02 -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: nginx - updatePolicy: - updateMode: Auto diff --git a/other/prevent-duplicate-vpa/artifacthub-pkg.yml b/other/prevent-duplicate-vpa/artifacthub-pkg.yml deleted file mode 100644 index 7390e07e9..000000000 --- a/other/prevent-duplicate-vpa/artifacthub-pkg.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: prevent-duplicate-vpa -version: 1.0.0 -displayName: Prevent Duplicate VerticalPodAutoscalers -createdAt: "2024-03-09T18:01:00.000Z" -description: >- - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to prevent the creation of multiple VPAs which target - the same resource. This policy has two rules, the first of which ensures that the only targetRef - kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second - prevents the creation of duplicate VPAs by validating that any - new VPA targets a unique resource. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml - ``` -keywords: - - kyverno - - other -readme: | - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to prevent the creation of multiple VPAs which target - the same resource. This policy has two rules, the first of which ensures that the only targetRef - kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second - prevents the creation of duplicate VPAs by validating that any - new VPA targets a unique resource. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "VerticalPodAutoscaler" -digest: 3248de8dad0cc893c92c10a8c2a1a809817a17ead98a8120c8fabdec57035134 diff --git a/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml b/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml deleted file mode 100644 index 3b7e2600f..000000000 --- a/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: prevent-duplicate-vpa - annotations: - policies.kyverno.io/title: Prevent Duplicate VerticalPodAutoscalers - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: VerticalPodAutoscaler - policies.kyverno.io/description: >- - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to prevent the creation of multiple VPAs which target - the same resource. This policy has two rules, the first of which ensures that the only targetRef - kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second - prevents the creation of duplicate VPAs by validating that any - new VPA targets a unique resource. -spec: - validationFailureAction: Audit - background: false - rules: - - name: verify-kind-name-duplicates - match: - any: - - resources: - kinds: - - VerticalPodAutoscaler - operations: - - CREATE - validate: - message: >- - The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet. - pattern: - spec: - targetRef: - kind: Deployment | StatefulSet | ReplicaSet | DaemonSet - - name: check-targetref-duplicates - match: - any: - - resources: - kinds: - - VerticalPodAutoscaler - operations: - - CREATE - preconditions: - all: - - key: - - Deployment - - StatefulSet - - ReplicaSet - - DaemonSet - operator: AnyIn - value: "{{ request.object.spec.targetRef.kind }}" - context: - - name: targets - apiCall: - urlPath: "/apis/autoscaling.k8s.io/v1/namespaces/{{ request.namespace }}/verticalpodautoscalers" - jmesPath: "items[?spec.targetRef.kind=='{{ request.object.spec.targetRef.kind }}'].spec.targetRef.name" - validate: - message: >- - The target {{ request.object.spec.targetRef.kind }} named - {{ request.object.spec.targetRef.name }} already has an existing - VPA configured for it. Duplicate VPAs are not allowed. - deny: - conditions: - all: - - key: "{{ request.object.spec.targetRef.name }}" - operator: AnyIn - value: "{{ targets }}" diff --git a/other/protect-node-taints/.chainsaw-test/chainsaw-test.yaml b/other/protect-node-taints/.chainsaw-test/chainsaw-test.yaml index 8077ae611..a58a97ebf 100755 --- a/other/protect-node-taints/.chainsaw-test/chainsaw-test.yaml +++ b/other/protect-node-taints/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -13,8 +12,10 @@ spec: kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) kubectl taint nodes "$node" foo=bar:NoSchedule - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-02 try: - apply: diff --git a/other/protect-node-taints/artifacthub-pkg.yml b/other/protect-node-taints/artifacthub-pkg.yml index 94b87d72e..533658df9 100644 --- a/other/protect-node-taints/artifacthub-pkg.yml +++ b/other/protect-node-taints/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Other" kyverno/subject: "Node" -digest: cb8d6a738f2314bb4bb6816669699a6409387aff0712b91225366d014210ba57 +digest: e7d59f8d6cda75ac07409a3a3db6799c9025cab95fc3e5967d155d589a2a43a9 diff --git a/other/protect-node-taints/protect-node-taints.yaml b/other/protect-node-taints/protect-node-taints.yaml index de0ca0e12..efc995a7a 100644 --- a/other/protect-node-taints/protect-node-taints.yaml +++ b/other/protect-node-taints/protect-node-taints.yaml @@ -17,7 +17,7 @@ metadata: requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: protect-node-taints diff --git a/other/record-creation-details/.chainsaw-test/chainsaw-test.yaml b/other/record-creation-details/.chainsaw-test/chainsaw-test.yaml index 0860e955e..d63c1d776 100755 --- a/other/record-creation-details/.chainsaw-test/chainsaw-test.yaml +++ b/other/record-creation-details/.chainsaw-test/chainsaw-test.yaml @@ -1,18 +1,9 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: + creationTimestamp: null name: record-creation-details spec: - bindings: - # A value named kubeVersion must be passed to Chainsaw using the --values flag the - # value of which is expected to be something like 'v1.26.4'. That value will then be - # processed by the bindings defined in this test and a final value will be evaluated - # by an assertion in the files defined in 'step-02'. - - name: version - value: (x_k8s_server_version($config)) - - name: minorversion - value: (to_number($version.minor)) steps: - name: step-01 try: diff --git a/other/record-creation-details/.chainsaw-test/ns-patched.yaml b/other/record-creation-details/.chainsaw-test/ns-patched.yaml index dd1f38f65..7df03c152 100644 --- a/other/record-creation-details/.chainsaw-test/ns-patched.yaml +++ b/other/record-creation-details/.chainsaw-test/ns-patched.yaml @@ -2,10 +2,5 @@ apiVersion: v1 kind: Namespace metadata: annotations: - # If the minor version of the Kubernetes cluster against which this - # is tested is less than 29, the annotation is expected to have the group 'system:masters' in it. - # Otherwise, due to a change in kubeadm, the group should be 'kubeadm:cluster-admins'. - # Note the values expected here are specific to testing on a KinD cluster. Testing against - # other types of clusters may result in different values. - kyverno.io/created-by: (($minorversion < `29` && '{"groups":["system:masters","system:authenticated"],"username":"kubernetes-admin"}') || '{"groups":["kubeadm:cluster-admins","system:authenticated"],"username":"kubernetes-admin"}') + kyverno.io/created-by: '{"groups":["system:masters","system:authenticated"],"username":"kubernetes-admin"}' name: record-create-ns \ No newline at end of file diff --git a/other/record-creation-details/.chainsaw-test/pod-patch01.yaml b/other/record-creation-details/.chainsaw-test/pod-patch01.yaml index 810e1d95f..c5ffb9d57 100644 --- a/other/record-creation-details/.chainsaw-test/pod-patch01.yaml +++ b/other/record-creation-details/.chainsaw-test/pod-patch01.yaml @@ -7,4 +7,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/record-creation-details/.chainsaw-test/pod-patch02.yaml b/other/record-creation-details/.chainsaw-test/pod-patch02.yaml index 8b8d1d8a2..0333b019f 100644 --- a/other/record-creation-details/.chainsaw-test/pod-patch02.yaml +++ b/other/record-creation-details/.chainsaw-test/pod-patch02.yaml @@ -7,4 +7,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/record-creation-details/.chainsaw-test/pod-patched.yaml b/other/record-creation-details/.chainsaw-test/pod-patched.yaml index a8c7f5b58..4682a8066 100644 --- a/other/record-creation-details/.chainsaw-test/pod-patched.yaml +++ b/other/record-creation-details/.chainsaw-test/pod-patched.yaml @@ -2,14 +2,9 @@ apiVersion: v1 kind: Pod metadata: annotations: - # If the minor version of the Kubernetes cluster against which this - # is tested is less than 29, the annotation is expected to have the group 'system:masters' in it. - # Otherwise, due to a change in kubeadm, the group should be 'kubeadm:cluster-admins'. - # Note the values expected here are specific to testing on a KinD cluster. Testing against - # other types of clusters may result in different values. - kyverno.io/created-by: (($minorversion < `29` && '{"groups":["system:masters","system:authenticated"],"username":"kubernetes-admin"}') || '{"groups":["kubeadm:cluster-admins","system:authenticated"],"username":"kubernetes-admin"}') + kyverno.io/created-by: '{"groups":["system:masters","system:authenticated"],"username":"kubernetes-admin"}' name: pod01 spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/record-creation-details/.chainsaw-test/pod.yaml b/other/record-creation-details/.chainsaw-test/pod.yaml index 1cd38e3ec..4c2e703e9 100644 --- a/other/record-creation-details/.chainsaw-test/pod.yaml +++ b/other/record-creation-details/.chainsaw-test/pod.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/record-creation-details/artifacthub-pkg.yml b/other/record-creation-details/artifacthub-pkg.yml index 051a414d6..98f223764 100644 --- a/other/record-creation-details/artifacthub-pkg.yml +++ b/other/record-creation-details/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Annotation" -digest: c2bf90639f2306db073513d79b29d842614423d651dad2c376bd773c83b346f2 +digest: 95a8dfcaaeb98c59c2ac31afcca749c7b01ee0cb0a1d4b0294f3b3bfb3573357 diff --git a/other/record-creation-details/record-creation-details.yaml b/other/record-creation-details/record-creation-details.yaml index 38b9c7cad..2c5a551bf 100644 --- a/other/record-creation-details/record-creation-details.yaml +++ b/other/record-creation-details/record-creation-details.yaml @@ -22,7 +22,7 @@ metadata: all kinds ("*") it is highly recommend to more narrowly scope it to only the resources which should be labeled. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: add-userinfo diff --git a/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml b/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml index 7a1c2c053..da53bb9af 100755 --- a/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml +++ b/other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -24,15 +23,10 @@ spec: try: - apply: file: deployment.yaml - - wait: - apiVersion: v1 - kind: Pod - namespace: refresh-env-var-ns - timeout: 1m - for: - condition: - name: Ready - value: 'true' + - name: step-03 + try: + - sleep: + duration: 5s - script: content: | kubectl get pod -n refresh-env-var-ns --no-headers | awk '{print $1}' > deploy-names.txt @@ -116,5 +110,13 @@ spec: echo "Failed. Value of ENV_SECRET is currently $three_env_one." exit 1; fi - - script: - content: kubectl delete all --all --force --grace-period=0 -n refresh-env-var-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - refresh-env-var-ns + entrypoint: kubectl diff --git a/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml b/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml index 50337a3de..656d9ef8d 100755 --- a/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml +++ b/other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -38,15 +37,10 @@ spec: file: chainsaw-step-03-apply-2.yaml - name: step-04 try: - - wait: - apiVersion: v1 - kind: Pod - namespace: refresh-vols-ns - timeout: 1m - for: - condition: - name: Ready - value: 'true' + - command: + args: + - "5" + entrypoint: sleep - script: content: | annotation=$(kubectl get pod pod01 -n refresh-vols-ns -o json | kyverno jp query "metadata.annotations.\"corp.org/random\" || '' " | tail -n 1 | cut -d '"' -f 2) @@ -65,8 +59,10 @@ spec: if [ "$annotation" = "1234abcd" ]; then exit 0; else exit 1; fi - name: step-05 try: - - sleep: - duration: 3s + - command: + args: + - "3" + entrypoint: sleep - script: content: | val=$(kubectl exec pod01 -n refresh-vols-ns -- cat /mnt/foo/foo) @@ -79,5 +75,13 @@ spec: content: | val=$(kubectl exec pod04 -n refresh-vols-ns -- cat /mnt/foo/foo) if [ "$val" = "bar" ]; then exit 0; else exit 1; fi - - script: - content: kubectl delete all --all --force --grace-period=0 -n refresh-vols-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - refresh-vols-ns + entrypoint: kubectl diff --git a/other/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml b/other/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml index b492c3746..56f7d13a1 100755 --- a/other/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -34,5 +33,13 @@ spec: file: not-pod-patched05.yaml - name: step-04 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n remove-hostpathvols-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - remove-hostpathvols-ns + entrypoint: kubectl diff --git a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml index e18da3573..a8989f2ab 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml @@ -7,17 +7,17 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: foo - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml index e182bbc32..8c9d75a51 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml @@ -7,14 +7,14 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: foo - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: foo hostPath: diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml index 0831ab7ee..dd850344b 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml @@ -7,17 +7,17 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml index 2d69f1266..5823e1a99 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml @@ -7,12 +7,12 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml index 8a48b8687..7e8c842bd 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml @@ -7,7 +7,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml index b520b7761..62a4ea1c3 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml @@ -7,14 +7,14 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml b/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml index b8a610b58..597250679 100644 --- a/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml +++ b/other/remove-hostpath-volumes/.chainsaw-test/pods.yaml @@ -7,21 +7,21 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /test-pd name: foo - mountPath: /foo name: empty - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty - mountPath: /test-pd name: bar - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty @@ -46,12 +46,12 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty @@ -79,7 +79,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -101,17 +101,17 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: foo - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty @@ -139,14 +139,14 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: foo - name: busybox03 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: foo hostPath: diff --git a/other/remove-serviceaccount-token/.chainsaw-test/chainsaw-test.yaml b/other/remove-serviceaccount-token/.chainsaw-test/chainsaw-test.yaml index 2bf166b8e..e9bba4e2d 100755 --- a/other/remove-serviceaccount-token/.chainsaw-test/chainsaw-test.yaml +++ b/other/remove-serviceaccount-token/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -30,5 +29,13 @@ spec: file: pod-not-patched02.yaml - name: step-04 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n remove-satoken-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - remove-satoken-ns + entrypoint: kubectl diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml index ba3fc9c5f..7fe897c39 100644 --- a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml +++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched01.yaml @@ -6,12 +6,12 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml index b7c2e0e08..c5ff1df27 100644 --- a/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml +++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-not-patched02.yaml @@ -8,9 +8,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml index ca17e41b1..1a9d41e47 100644 --- a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml +++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched.yaml @@ -6,9 +6,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml index 1963fae18..c26aa7af7 100644 --- a/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml +++ b/other/remove-serviceaccount-token/.chainsaw-test/pod-patched02.yaml @@ -7,7 +7,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol diff --git a/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml b/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml index 20573908e..f79271c58 100644 --- a/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml +++ b/other/remove-serviceaccount-token/.chainsaw-test/pods.yaml @@ -6,9 +6,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,9 +18,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty @@ -39,7 +39,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: config-vol @@ -65,9 +65,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /foo name: empty diff --git a/other/replace-image-registry-with-harbor/.chainsaw-test/chainsaw-test.yaml b/other/replace-image-registry-with-harbor/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 64fc7538a..000000000 --- a/other/replace-image-registry-with-harbor/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: replace-image-registry-with-harbor -spec: - steps: - - name: step-01 - try: - - apply: - file: ../replace-image-registry-with-harbor.yaml - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ../.kyverno-test/resource.yaml - - assert: - file: ../.kyverno-test/patchedResource.yaml - - assert: - file: ../.kyverno-test/patchedResource2.yaml \ No newline at end of file diff --git a/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml b/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index bb75ef485..000000000 --- a/other/replace-image-registry-with-harbor/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: replace-image-registry-with-harbor -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/replace-image-registry-with-harbor/.kyverno-test/README.md b/other/replace-image-registry-with-harbor/.kyverno-test/README.md deleted file mode 100644 index 53ede54ed..000000000 --- a/other/replace-image-registry-with-harbor/.kyverno-test/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# README - -Temporarily disabling this test until we can find a way to provide per-container context variables in a Values file. \ No newline at end of file diff --git a/other/replace-image-registry-with-harbor/.kyverno-test/disabled-test.yaml b/other/replace-image-registry-with-harbor/.kyverno-test/disabled-test.yaml deleted file mode 100644 index 8d86c4f07..000000000 --- a/other/replace-image-registry-with-harbor/.kyverno-test/disabled-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: replace-image-registry-with-harbor -policies: - - ../replace-image-registry-with-harbor.yaml -resources: - - resource.yaml -results: - - kind: Pod - patchedResource: patchedResource.yaml - policy: replace-image-registry-with-harbor - resources: - - myapp-pod1 - result: pass - rule: redirect-docker - - kind: Pod - patchedResource: patchedResource2.yaml - policy: replace-image-registry-with-harbor - resources: - - myapp-pod2 - result: pass - rule: redirect-docker \ No newline at end of file diff --git a/other/replace-image-registry-with-harbor/.kyverno-test/patchedResource.yaml b/other/replace-image-registry-with-harbor/.kyverno-test/patchedResource.yaml deleted file mode 100644 index c92f9c67f..000000000 --- a/other/replace-image-registry-with-harbor/.kyverno-test/patchedResource.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod1 - namespace: default -spec: - containers: - - image: harbor.example.com/k8s/library/nginx:latest - name: docker-with-registry diff --git a/other/replace-image-registry-with-harbor/.kyverno-test/patchedResource2.yaml b/other/replace-image-registry-with-harbor/.kyverno-test/patchedResource2.yaml deleted file mode 100644 index 666cf0b14..000000000 --- a/other/replace-image-registry-with-harbor/.kyverno-test/patchedResource2.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod2 - namespace: default -spec: - initContainers: - - command: - - sh - - -c - - echo The app is running! && sleep 3600 - image: harbor.example.com/k8s/library/busybox:latest - name: init-without-registry - containers: - - image: harbor.example.com/k8s/library/nginx:latest - name: without-registry - - name: busybox03 - image: ghcr.io/kyverno/test-verify-image:unsigned diff --git a/other/replace-image-registry-with-harbor/.kyverno-test/resource.yaml b/other/replace-image-registry-with-harbor/.kyverno-test/resource.yaml deleted file mode 100644 index a9b9ce2a8..000000000 --- a/other/replace-image-registry-with-harbor/.kyverno-test/resource.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod1 - namespace: default -spec: - containers: - - image: docker.io/nginx:latest - name: docker-with-registry ---- -apiVersion: v1 -kind: Pod -metadata: - name: myapp-pod2 - namespace: default -spec: - containers: - - name: without-registry - image: nginx:latest - - name: busybox03 - image: ghcr.io/kyverno/test-verify-image:unsigned - initContainers: - - name: init-without-registry - image: busybox:latest - command: ['sh', '-c', 'echo The app is running! && sleep 3600'] \ No newline at end of file diff --git a/other/replace-image-registry-with-harbor/artifacthub-pkg.yml b/other/replace-image-registry-with-harbor/artifacthub-pkg.yml deleted file mode 100755 index d38d373cd..000000000 --- a/other/replace-image-registry-with-harbor/artifacthub-pkg.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: replace-image-registry-with-harbor -version: 1.0.0 -displayName: Replace Image Registry With Harbor -createdAt: "2024-03-02T21:27:05.000Z" -description: >- - Some registries like Harbor offer pull-through caches for images from certain registries. - Images can be re-written to be pulled from the redirected registry instead of the original and - the registry will proxy pull the image, adding it to its internal cache. - The imageData context variable in this policy provides a normalized view - of the container image, allowing the policy to make decisions based on various - "live" image details. As a result, it requires access to the source registry and the existence - of the target image to verify those details. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml - ``` -keywords: - - kyverno - - Sample -readme: | - Some registries like Harbor offer pull-through caches for images from certain registries. - Images can be re-written to be pulled from the redirected registry instead of the original and - the registry will proxy pull the image, adding it to its internal cache. - The imageData context variable in this policy provides a normalized view - of the container image, allowing the policy to make decisions based on various - "live" image details. As a result, it requires access to the source registry and the existence - of the target image to verify those details. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Sample" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Pod" -digest: 8f88cbddbaec89d29c062e6f6c8385b75f46b7d958954e637d686e82e893856c \ No newline at end of file diff --git a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml b/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml deleted file mode 100755 index be06f4c42..000000000 --- a/other/replace-image-registry-with-harbor/replace-image-registry-with-harbor.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: replace-image-registry-with-harbor - annotations: - policies.kyverno.io/title: Replace Image Registry With Harbor - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/category: Sample - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/description: >- - Some registries like Harbor offer pull-through caches for images from certain registries. - Images can be re-written to be pulled from the redirected registry instead of the original and - the registry will proxy pull the image, adding it to its internal cache. - The imageData context variable in this policy provides a normalized view - of the container image, allowing the policy to make decisions based on various - "live" image details. As a result, it requires access to the source registry and the existence - of the target image to verify those details. -spec: - rules: - - name: redirect-docker - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - mutate: - foreach: - - list: request.object.spec.initContainers[] - context: - - name: imageData - imageRegistry: - reference: "{{ element.image }}" - preconditions: - any: - - key: "{{imageData.registry}}" - operator: Equals - value: index.docker.io - patchStrategicMerge: - spec: - initContainers: - - name: "{{ element.name }}" - image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}} - - list: request.object.spec.containers[] - context: - - name: imageData - imageRegistry: - reference: "{{ element.image }}" - preconditions: - any: - - key: "{{imageData.registry}}" - operator: Equals - value: index.docker.io - patchStrategicMerge: - spec: - containers: - - name: "{{ element.name }}" - image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}} diff --git a/other/replace-image-registry/.chainsaw-test/chainsaw-test.yaml b/other/replace-image-registry/.chainsaw-test/chainsaw-test.yaml index 935adc745..b41e36558 100755 --- a/other/replace-image-registry/.chainsaw-test/chainsaw-test.yaml +++ b/other/replace-image-registry/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -26,5 +25,13 @@ spec: file: pod-patched03.yaml - name: step-03 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n replace-registry-ns + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - replace-registry-ns + entrypoint: kubectl diff --git a/other/replace-image-registry/.chainsaw-test/pods.yaml b/other/replace-image-registry/.chainsaw-test/pods.yaml index 431e2298a..34c9f6f41 100644 --- a/other/replace-image-registry/.chainsaw-test/pods.yaml +++ b/other/replace-image-registry/.chainsaw-test/pods.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/busybox:1.35 + image: busybox:1.35 - name: busybox02 image: docker.io/busybox:1.35 --- diff --git a/other/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml b/other/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml index 144e2ff80..6e167934a 100755 --- a/other/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml +++ b/other/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 263c5c382..fd8ed662a 100755 --- a/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-annotations status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-annotations/.chainsaw-test/chainsaw-test.yaml b/other/require-annotations/.chainsaw-test/chainsaw-test.yaml index 258688cdc..a2ff38e2f 100755 --- a/other/require-annotations/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-annotations/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-annotations.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-annotations - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-annotations.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-annotations diff --git a/other/require-annotations/.chainsaw-test/pod-bad.yaml b/other/require-annotations/.chainsaw-test/pod-bad.yaml index 67847efb5..9b0858baf 100644 --- a/other/require-annotations/.chainsaw-test/pod-bad.yaml +++ b/other/require-annotations/.chainsaw-test/pod-bad.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,4 +16,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-annotations/.chainsaw-test/pod-good.yaml b/other/require-annotations/.chainsaw-test/pod-good.yaml index 595021867..921c8ccbc 100644 --- a/other/require-annotations/.chainsaw-test/pod-good.yaml +++ b/other/require-annotations/.chainsaw-test/pod-good.yaml @@ -7,4 +7,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml b/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml index 1c921aa36..a5b33062f 100644 --- a/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-annotations/.chainsaw-test/podcontroller-bad.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -34,5 +34,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-annotations/.chainsaw-test/podcontroller-good.yaml b/other/require-annotations/.chainsaw-test/podcontroller-good.yaml index be29b46ab..3141ba5a2 100644 --- a/other/require-annotations/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-annotations/.chainsaw-test/podcontroller-good.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,5 +36,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-annotations/.kyverno-test/kyverno-test.yaml b/other/require-annotations/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8cf9c591a..000000000 --- a/other/require-annotations/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-annotations -policies: -- ../require-annotations.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- kind: Pod - policy: require-annotations - resources: - - badpod01 - - badpod02 - result: fail - rule: check-for-annotation -- kind: Pod - policy: require-annotations - resources: - - goodpod01 - result: pass - rule: check-for-annotation -- kind: Deployment - policy: require-annotations - resources: - - baddeployment01 - result: fail - rule: check-for-annotation -- kind: CronJob - policy: require-annotations - resources: - - badcronjob01 - result: fail - rule: check-for-annotation -- kind: Deployment - policy: require-annotations - resources: - - gooddeployment01 - result: pass - rule: check-for-annotation -- kind: CronJob - policy: require-annotations - resources: - - goodcronjob01 - result: pass - rule: check-for-annotation - diff --git a/other/require-annotations/artifacthub-pkg.yml b/other/require-annotations/artifacthub-pkg.yml index 05bd74b20..0e0b55a67 100644 --- a/other/require-annotations/artifacthub-pkg.yml +++ b/other/require-annotations/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Other" kyverno/subject: "Pod, Annotation" -digest: 8a834315ded9e0c9db8c138cc02ff5d8bf0791428f01379aafcfe2158d06d4a4 +digest: fafe53fa9a2931eba4755bff2e2a8dfeced08c3fa02593c966d9a07fdd4ae604 diff --git a/other/require-annotations/require-annotations.yaml b/other/require-annotations/require-annotations.yaml index 8a8b95c16..25cbec47e 100644 --- a/other/require-annotations/require-annotations.yaml +++ b/other/require-annotations/require-annotations.yaml @@ -13,7 +13,7 @@ metadata: all tools can understand. The recommended annotations describe applications in a way that can be queried. This policy validates that the annotation `corp.org/department` is specified with some value. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-for-annotation diff --git a/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 40047293c..9b92524c0 100755 --- a/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-base-image status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-base-image/.chainsaw-test/chainsaw-test.yaml b/other/require-base-image/.chainsaw-test/chainsaw-test.yaml index 2a767b3af..0e9f0a2e6 100755 --- a/other/require-base-image/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-base-image/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../require-base-image.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-base-image - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-base-image.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -40,5 +32,18 @@ spec: file: podcontroller-bad.yaml - name: step-99 try: - - script: - content: kubectl delete all --all --force --grace-period=0 -n require-base-image-ns + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-base-image + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - require-base-image-ns + entrypoint: kubectl diff --git a/other/require-base-image/.chainsaw-test/pod-bad.yaml b/other/require-base-image/.chainsaw-test/pod-bad.yaml index 1cbc08a5f..7223403a6 100644 --- a/other/require-base-image/.chainsaw-test/pod-bad.yaml +++ b/other/require-base-image/.chainsaw-test/pod-bad.yaml @@ -8,7 +8,7 @@ spec: - name: cowrie image: docker.io/trithemius/cowrie:latest - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,7 +18,7 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: kyverno image: ghcr.io/kyverno/kyverno:latest --- @@ -30,4 +30,4 @@ metadata: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml b/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml index 20a9e94fd..abedca421 100644 --- a/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-base-image/.chainsaw-test/podcontroller-bad.yaml @@ -20,7 +20,7 @@ spec: - name: cowrie image: docker.io/trithemius/cowrie:latest - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,7 +36,7 @@ spec: spec: containers: - name: bb - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: kyverno image: ghcr.io/kyverno/kyverno:latest restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-base-image/artifacthub-pkg.yml b/other/require-base-image/artifacthub-pkg.yml index b9ef5f1f6..db651d988 100644 --- a/other/require-base-image/artifacthub-pkg.yml +++ b/other/require-base-image/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 6142ec32c660c1699f435d90d7d8cabf3125a2bc73ab1e910d518fe05c04385d +digest: 23dcc8f9a56d36ceb6f45b8c7e76b450472e5c22a4a701bea37c25c8df68984e diff --git a/other/require-base-image/require-base-image.yaml b/other/require-base-image/require-base-image.yaml index fe944e9c2..99f77be7c 100644 --- a/other/require-base-image/require-base-image.yaml +++ b/other/require-base-image/require-base-image.yaml @@ -21,7 +21,7 @@ metadata: to specify it using metadata or build directives of some sort (ex., Dockerfile FROM statements do not automatically expose this information). spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: require-base-image match: diff --git a/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml index ad3202354..f8c44c430 100755 --- a/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-container-port-names/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-container-port-names status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-container-port-names/.chainsaw-test/chainsaw-test.yaml b/other/require-container-port-names/.chainsaw-test/chainsaw-test.yaml index 2a9cd9c88..237e67b1a 100755 --- a/other/require-container-port-names/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-container-port-names/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-container-port-names.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-container-port-names - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-container-port-names.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-container-port-names diff --git a/other/require-container-port-names/.chainsaw-test/pod-bad.yaml b/other/require-container-port-names/.chainsaw-test/pod-bad.yaml index a9be85d99..f55f602a1 100644 --- a/other/require-container-port-names/.chainsaw-test/pod-bad.yaml +++ b/other/require-container-port-names/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 --- @@ -16,12 +16,12 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 - containerPort: 443 @@ -34,11 +34,11 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 name: http-port diff --git a/other/require-container-port-names/.chainsaw-test/pod-good.yaml b/other/require-container-port-names/.chainsaw-test/pod-good.yaml index 1bbaa60e6..0825ba43a 100644 --- a/other/require-container-port-names/.chainsaw-test/pod-good.yaml +++ b/other/require-container-port-names/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 @@ -17,12 +17,12 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 diff --git a/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml b/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml index fd12ecd36..dd9ac3feb 100644 --- a/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-container-port-names/.chainsaw-test/podcontroller-bad.yaml @@ -17,12 +17,12 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 - containerPort: 443 @@ -41,12 +41,12 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 - containerPort: 443 diff --git a/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml b/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml index 9f5f94e13..f491d3aab 100644 --- a/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-container-port-names/.chainsaw-test/podcontroller-good.yaml @@ -17,12 +17,12 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 @@ -42,12 +42,12 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: http-port containerPort: 80 diff --git a/other/require-container-port-names/.kyverno-test/kyverno-test.yaml b/other/require-container-port-names/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c1054a710..000000000 --- a/other/require-container-port-names/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-container-port-names -policies: -- ../require-container-port-names.yaml -resources: -- ../.chainsaw-test/pod-bad.yaml -- ../.chainsaw-test/pod-good.yaml -- ../.chainsaw-test/podcontroller-bad.yaml -- ../.chainsaw-test/podcontroller-good.yaml -results: -- kind: Pod - policy: require-container-port-names - rule: port-name - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail -- kind: Pod - policy: require-container-port-names - rule: port-name - resources: - - goodpod01 - - goodpod02 - result: pass -- kind: Deployment - policy: require-container-port-names - rule: port-name - resources: - - baddeployment01 - result: fail -- kind: CronJob - policy: require-container-port-names - rule: port-name - resources: - - badcronjob01 - result: fail -- kind: Deployment - policy: require-container-port-names - rule: port-name - resources: - - gooddeployment01 - result: pass -- kind: CronJob - policy: require-container-port-names - rule: port-name - resources: - - goodcronjob01 - result: pass - diff --git a/other/require-container-port-names/artifacthub-pkg.yml b/other/require-container-port-names/artifacthub-pkg.yml index 8ecf33e21..6f6c29a31 100644 --- a/other/require-container-port-names/artifacthub-pkg.yml +++ b/other/require-container-port-names/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: ac5fa3fa26805f370d12458b3a71aa6ae305de03ed06b474e5825d58bd70e9a1 +digest: 9be3e553fa8984998988824ca5700f9348d21fa777a1efefa78d82267cdcf140 diff --git a/other/require-container-port-names/require-container-port-names.yaml b/other/require-container-port-names/require-container-port-names.yaml index c390ac15b..2eed86e9f 100644 --- a/other/require-container-port-names/require-container-port-names.yaml +++ b/other/require-container-port-names/require-container-port-names.yaml @@ -16,7 +16,7 @@ metadata: the port number to change. This policy requires that for every containerPort defined there is also a name specified. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: port-name diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100644 index c9d3557aa..000000000 --- a/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-cpu-limits -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 6c3d855b7..000000000 --- a/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-cpu-limits -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-cpu-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-cpu-limits - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 3bd362c8d..000000000 --- a/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 diff --git a/other/require-cpu-limits/.chainsaw-test/pod-good.yaml b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml deleted file mode 100644 index ef95698f5..000000000 --- a/other/require-cpu-limits/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index fca1f7504..000000000 --- a/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,158 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index ba862204f..000000000 --- a/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,271 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d - resources: - limits: - cpu: "50m" diff --git a/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml b/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8dc751676..000000000 --- a/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-cpu-limits -policies: -- ../require-cpu-limits.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: require-cpu-limits - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - - badcronjob04 - - badcronjob05 - - badcronjob06 - result: fail - rule: check-cpu-limits -- kind: Deployment - policy: require-cpu-limits - resources: - - baddeployment01 - - baddeployment02 - - baddeployment03 - - baddeployment04 - - baddeployment05 - - baddeployment06 - result: fail - rule: check-cpu-limits -- kind: Pod - policy: require-cpu-limits - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - - badpod06 - - badpod07 - result: fail - rule: check-cpu-limits -- kind: CronJob - policy: require-cpu-limits - resources: - - goodcronjob01 - - goodcronjob02 - - goodcronjob03 - - goodcronjob04 - - goodcronjob05 - result: pass - rule: check-cpu-limits -- kind: Deployment - policy: require-cpu-limits - resources: - - gooddeployment01 - - gooddeployment02 - - gooddeployment03 - - gooddeployment04 - - gooddeployment05 - result: pass - rule: check-cpu-limits -- kind: Pod - policy: require-cpu-limits - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - - goodpod05 - result: pass - rule: check-cpu-limits diff --git a/other/require-cpu-limits/.kyverno-test/resource.yaml b/other/require-cpu-limits/.kyverno-test/resource.yaml deleted file mode 100644 index 441cd0c9d..000000000 --- a/other/require-cpu-limits/.kyverno-test/resource.yaml +++ /dev/null @@ -1,684 +0,0 @@ -###### Pods - Bad -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename ---- -###### Pods - Good ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: initcontainer02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: initcontainer02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - -###### Deployments - Bad ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename -###### Deployments - Good ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: initcontainer02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: initcontainer02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - -###### CronJobs - Bad ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename -###### CronJobs - Good ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: initcontainer02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: initcontainer02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - containers: - - name: container01 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" - - name: container02 - image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 - resources: - limits: - cpu: "500m" diff --git a/other/require-cpu-limits/artifacthub-pkg.yml b/other/require-cpu-limits/artifacthub-pkg.yml deleted file mode 100644 index 125a5efc9..000000000 --- a/other/require-cpu-limits/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: require-cpu-limits -version: 1.0.0 -displayName: Require CPU Limits -createdAt: "2024-05-19T20:30:06.000Z" -description: >- - Setting CPU limits on pods ensures fair distribution of resources, preventing any single pod from monopolizing CPU and impacting the performance of other pods. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/require-cpu-limits/require-cpu-limits.yaml - ``` -keywords: -- kyverno -- Other -readme: | - Setting CPU limits on pods ensures fair distribution of resources, preventing any single pod from monopolizing CPU and impacting the performance of other pods. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.26" - kyverno/subject: "Pod" -digest: 1d9998010342080ae64f309befdf52065de557cdcc10ddf68d8476b5af93d505 diff --git a/other/require-cpu-limits/require-cpu-limits.yaml b/other/require-cpu-limits/require-cpu-limits.yaml deleted file mode 100644 index 7e7ec5a20..000000000 --- a/other/require-cpu-limits/require-cpu-limits.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-cpu-limits - annotations: - policies.kyverno.io/title: Require CPU Limits - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kubernetes-version: "1.26" - policies.kyverno.io/description: >- - Setting CPU limits on containers ensures fair distribution of resources, preventing any single container from monopolizing CPU and impacting the performance of other containers. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-cpu-limits - match: - any: - - resources: - kinds: - - Pod - validate: - message: "CPU limits are required for all containers." - pattern: - spec: - containers: - - (name): "*" - resources: - limits: - cpu: "?*" - =(ephemeralContainers): - - =(name): "*" - resources: - limits: - cpu: "?*" - =(initContainers): - - =(name): "*" - resources: - limits: - cpu: "?*" diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 64c9b55e6..b272d0794 100755 --- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: deployment-has-multiple-replicas status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml index 49c46bba7..db7d27f4d 100755 --- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-deployments-have-multiple-replicas.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deployment-has-multiple-replicas - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-deployments-have-multiple-replicas.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: deploy-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: deployment-has-multiple-replicas diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml index a6afc9c8c..4ec336991 100644 --- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml +++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-bad.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -40,9 +40,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -62,6 +62,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml index 9eb0ce03a..a962c8e73 100644 --- a/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml +++ b/other/require-deployments-have-multiple-replicas/.chainsaw-test/deploy-good.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -40,6 +40,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml b/other/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml index 07bccb8b6..f4755fdc2 100644 --- a/other/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml +++ b/other/require-deployments-have-multiple-replicas/.kyverno-test/kyverno-test.yaml @@ -10,13 +10,6 @@ results: - kind: Deployment policy: deployment-has-multiple-replicas resources: - - mydeploygood + - mydeploy result: pass rule: deployment-has-multiple-replicas -- kind: Deployment - policy: deployment-has-multiple-replicas - resources: - - mydeploybad - result: fail - rule: deployment-has-multiple-replicas - diff --git a/other/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml b/other/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml index 6fc0aa939..85fef6f89 100644 --- a/other/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml +++ b/other/require-deployments-have-multiple-replicas/.kyverno-test/resource.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: mydeploygood + name: mydeploy spec: replicas: 2 selector: @@ -19,23 +19,13 @@ spec: - containerPort: 80 --- -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Pod metadata: - name: mydeploybad + labels: + foo: bar + name: myapp-pod spec: - replicas: 1 - selector: - matchLabels: - app: myapp - template: - metadata: - labels: - app: myapp - spec: - containers: - - name: nginx - image: nginx - ports: - - containerPort: 80 - + containers: + - image: nginx + name: nginx \ No newline at end of file diff --git a/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml b/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml index e6646d6e5..3a4843fb4 100644 --- a/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml +++ b/other/require-deployments-have-multiple-replicas/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Deployment" -digest: c3af9217dcb041aef987c0018fe2e2b405964f03d5f37481fe75c2e434abb4cc +digest: c51f69dfe47a743104560fa0dadb1c7dcf60d98ed66eb1d142e5891ac7213f1a diff --git a/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml b/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml index f65200876..bb1c38b39 100644 --- a/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml +++ b/other/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml @@ -13,7 +13,7 @@ metadata: may suffer downtime if that one replica goes down. This policy validates that Deployments have more than one replica. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: deployment-has-multiple-replicas diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml index 8dea0db19..da2b7cd1a 100644 --- a/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/bad-pod.yaml @@ -6,7 +6,7 @@ metadata: name: badpod01 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/foo @@ -16,18 +16,18 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/vol name: vol containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo-host - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 7ce8296f7..9aa39646d 100755 --- a/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-emptydir-requests-and-limits status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml index 11faefce7..e8337869d 100755 --- a/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-emptydir-requests-limits.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-emptydir-requests-and-limits - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-emptydir-requests-limits.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-emptydir-requests-and-limits diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml index be38730f2..b515750a6 100644 --- a/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/pod-bad.yaml @@ -4,12 +4,12 @@ metadata: name: badpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -26,7 +26,7 @@ metadata: name: badpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /cache/data @@ -41,12 +41,12 @@ metadata: name: badpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/vol name: vol - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumeMounts: - mountPath: /mnt/foo @@ -64,7 +64,7 @@ metadata: name: badpod04 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/foo @@ -74,18 +74,18 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/vol name: vol containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/vol name: vol - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -108,7 +108,7 @@ metadata: name: badpod05 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: @@ -126,7 +126,7 @@ metadata: name: badpod06 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: @@ -144,7 +144,7 @@ metadata: name: badpod07 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: limits: diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml index c99ae5a9b..2af525da3 100644 --- a/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/pod-good.yaml @@ -4,7 +4,7 @@ metadata: name: goodpod01 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox resources: requests: @@ -24,7 +24,7 @@ metadata: name: goodpod02 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: v1 @@ -33,7 +33,7 @@ metadata: name: goodpod03 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /cache/data @@ -49,7 +49,7 @@ metadata: name: goodpod04 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/vol @@ -59,18 +59,18 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/foo name: foo containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -93,20 +93,20 @@ metadata: name: goodpod05 spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/foo name: foo containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: vol @@ -121,7 +121,7 @@ metadata: name: goodpod06 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo @@ -131,7 +131,7 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo @@ -143,12 +143,12 @@ metadata: name: goodpod07 spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 volumes: - name: foo @@ -162,7 +162,7 @@ metadata: spec: initContainers: - name: certificates - image: ghcr.io/kyverno/test-busybox + image: busybox volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs @@ -172,7 +172,7 @@ spec: requests: ephemeral-storage: 256Mi - name: configure - image: ghcr.io/kyverno/test-busybox + image: busybox volumeMounts: - name: etc-ssl-certs mountPath: /etc/ssl/certs/ @@ -185,7 +185,7 @@ spec: ephemeral-storage: 256Mi containers: - name: my-app - image: ghcr.io/kyverno/test-busybox + image: busybox resources: limits: cpu: "2" diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml index 7983cee46..d32c2c22d 100644 --- a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-bad.yaml @@ -16,23 +16,23 @@ spec: app: busybox spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/vol name: vol containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo-host - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -63,7 +63,7 @@ spec: template: spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/foo @@ -73,18 +73,18 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/vol name: vol containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo-host - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: diff --git a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml index bbea194f0..70b656486 100644 --- a/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-emptydir-requests-limits/.chainsaw-test/podcontroller-good.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/vol @@ -26,18 +26,18 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/foo name: foo-host containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: @@ -68,7 +68,7 @@ spec: template: spec: initContainers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox-init volumeMounts: - mountPath: /mnt/vol @@ -78,18 +78,18 @@ spec: ephemeral-storage: "2Gi" limits: ephemeral-storage: "2Gi" - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02-init volumeMounts: - mountPath: /mnt/foo name: foo containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox volumeMounts: - mountPath: /mnt/foo name: foo - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox02 resources: requests: diff --git a/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml index e004556f1..c0c44a2a1 100755 --- a/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-image-checksum status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml b/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml index c83534836..1aad3ddeb 100755 --- a/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-image-checksum.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-image-checksum - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-image-checksum.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,20 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml - - name: step-03 + - name: step-99 try: - - script: - content: | - kubectl apply -f pod-good-for-ephemeral.yaml - sleep 2 - kubectl debug goodpod-for-debug -it --image=ubuntu@sha256:0eb0f877e1c869a300c442c41120e778db7161419244ee5cbc6fa5f134e74736 --share-processes --copy-to=myapp-debug - - script: - content: | - kubectl apply -f pod-bad-for-ephemeral.yaml - sleep 2 - kubectl debug badpod-for-debug -it --image=ubuntu --share-processes --copy-to=myapp-debug - check: - ($error != null): true - - script: - content: | - kubectl delete pods --all --force + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-image-checksum diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml deleted file mode 100644 index 0b6a5d300..000000000 --- a/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-for-debug -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - command: ["sleep", "1d"] - diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml index 369a602ab..861eded64 100644 --- a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml +++ b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc --- apiVersion: v1 kind: Pod @@ -16,25 +16,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox + image: busybox - name: bb - image: ghcr.io/kyverno/test-busybox:latest ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: init-busybox - image: ghcr.io/kyverno/test-busybox:1.35 - command: ['sh', '-c', 'echo Init container 1 completed'] - - name: init-alpine - image: alpine:3.16 - command: ['sh', '-c', 'echo Init container 2 completed'] - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d ---- + image: busybox:latest \ No newline at end of file diff --git a/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml deleted file mode 100644 index 461519b56..000000000 --- a/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod-for-debug -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - command: ["sleep", "1d"] diff --git a/other/require-image-checksum/.chainsaw-test/pod-good.yaml b/other/require-image-checksum/.chainsaw-test/pod-good.yaml index 5e29724b6..3b71c5b5f 100644 --- a/other/require-image-checksum/.chainsaw-test/pod-good.yaml +++ b/other/require-image-checksum/.chainsaw-test/pod-good.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc --- apiVersion: v1 kind: Pod @@ -16,25 +16,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: init-busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - command: ['sh', '-c', 'echo Init container 1 completed'] - - name: init-nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 - command: ['sh', '-c', 'echo Init container 2 completed'] - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d - - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 ---- + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea \ No newline at end of file diff --git a/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml b/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml index 94b3efb8a..94553ecae 100644 --- a/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-image-checksum/.chainsaw-test/podcontroller-bad.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea --- apiVersion: batch/v1 kind: CronJob @@ -33,7 +33,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc - name: bb - image: ghcr.io/kyverno/test-busybox:latest + image: busybox:latest restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml b/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml index 2e1dcb3dd..adbbf001b 100644 --- a/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-image-checksum/.chainsaw-test/podcontroller-good.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea --- apiVersion: batch/v1 kind: CronJob @@ -33,7 +33,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:c81e98c8ff8ebe2ef81b784e9fcab9d1013d75064d00d0be4941ffb6973c948d + image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc - name: nginx - image: ghcr.io/kyverno/test-nginx@sha256:eca6768a39363decf0a4606a282e222552576fec380f555b65560983f7305cf7 + image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-image-checksum/.kyverno-test/kyverno-test.yaml b/other/require-image-checksum/.kyverno-test/kyverno-test.yaml index 0db076f06..574028fb6 100644 --- a/other/require-image-checksum/.kyverno-test/kyverno-test.yaml +++ b/other/require-image-checksum/.kyverno-test/kyverno-test.yaml @@ -17,17 +17,17 @@ results: policy: require-image-checksum resources: - myapp-pod-2 - result: pass + result: fail rule: require-image-checksum - kind: Deployment policy: require-image-checksum resources: - mydeploy - result: fail + result: pass rule: require-image-checksum - kind: Pod policy: require-image-checksum resources: - myapp-pod-1 - result: fail + result: pass rule: require-image-checksum diff --git a/other/require-image-checksum/.kyverno-test/resource.yaml b/other/require-image-checksum/.kyverno-test/resource.yaml index d200ca7de..99174c394 100644 --- a/other/require-image-checksum/.kyverno-test/resource.yaml +++ b/other/require-image-checksum/.kyverno-test/resource.yaml @@ -5,10 +5,6 @@ metadata: labels: app: myapp-1 spec: - initContainers: - - name: init-myservice - image: busybox - command: ['sh', '-c', 'echo Initializing...'] containers: - name: nginx image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 @@ -21,13 +17,9 @@ metadata: labels: app: myapp-2 spec: - initContainers: - - name: init-myservice - image: busybox@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7 - command: ['sh', '-c', 'echo Initializing...'] containers: - name: nginx - image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 + image: nginx --- apiVersion: apps/v1 @@ -44,10 +36,6 @@ spec: labels: app: myapp spec: - initContainers: - - name: init-myservice - image: busybox - command: ['sh', '-c', 'echo Initializing...'] containers: - name: nginx image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9 @@ -65,10 +53,6 @@ spec: spec: template: spec: - initContainers: - - name: init-myservice - image: busybox - command: ['sh', '-c', 'echo Initializing...'] containers: - name: hello image: busybox @@ -77,4 +61,4 @@ spec: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster - + restartPolicy: OnFailure diff --git a/other/require-image-checksum/artifacthub-pkg.yml b/other/require-image-checksum/artifacthub-pkg.yml index 89eaf13ea..64e238b99 100644 --- a/other/require-image-checksum/artifacthub-pkg.yml +++ b/other/require-image-checksum/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: c04622929b71c3e6437ad7f1f6ee84e8601e46ff35344c1cabb512d43b314cc1 +digest: 3337bb7de436169ae83391daf6da76251ce00422f3fc5691d80cfc6f75606d80 diff --git a/other/require-image-checksum/require-image-checksum.yaml b/other/require-image-checksum/require-image-checksum.yaml index 9fc259b01..e75024622 100644 --- a/other/require-image-checksum/require-image-checksum.yaml +++ b/other/require-image-checksum/require-image-checksum.yaml @@ -9,9 +9,11 @@ metadata: policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- - Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags. + Use of a SHA checksum when pulling an image is often preferable because tags + are mutable and can be overwritten. This policy checks to ensure that all images + use SHA checksums rather than tags. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-image-checksum @@ -25,8 +27,4 @@ spec: pattern: spec: containers: - - image: "*@*" - =(ephemeralContainers): - - image: "*@*" - =(initContainers): - - image: "*@*" + - image: "*@*" \ No newline at end of file diff --git a/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml index f364f02c5..dac18803b 100755 --- a/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-image-source status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-image-source/.chainsaw-test/chainsaw-test.yaml b/other/require-image-source/.chainsaw-test/chainsaw-test.yaml index 2d8bf186c..273a1c791 100755 --- a/other/require-image-source/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-image-source/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-image-source.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-image-source - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-image-source.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-image-source diff --git a/other/require-image-source/artifacthub-pkg.yml b/other/require-image-source/artifacthub-pkg.yml index 02ca86dd7..b6e7f081d 100644 --- a/other/require-image-source/artifacthub-pkg.yml +++ b/other/require-image-source/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: f3c463c88038c56cc9f24daec7120fe2c99871d023b03908d2936e2a183c7488 +digest: 439869ce881c7a4eea43180435dad9eb03c5c9c2cfae470822de7b988b2da514 diff --git a/other/require-image-source/require-image-source.yaml b/other/require-image-source/require-image-source.yaml index de17213e4..3f475a19b 100644 --- a/other/require-image-source/require-image-source.yaml +++ b/other/require-image-source/require-image-source.yaml @@ -18,7 +18,7 @@ metadata: either a label `org.opencontainers.image.source` or a newer annotation in the manifest of the same name. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-source match: diff --git a/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml index cd574d50d..2dea3c73c 100755 --- a/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-imagepullsecrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-imagepullsecrets status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml b/other/require-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml index ff0dcf6bd..a9e6d70d5 100755 --- a/other/require-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-imagepullsecrets/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-imagepullsecrets.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-imagepullsecrets - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-imagepullsecrets.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-imagepullsecrets diff --git a/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml b/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml index 90485653d..7752ff1f1 100644 --- a/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml +++ b/other/require-imagepullsecrets/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: busybox + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -13,10 +13,10 @@ metadata: name: badpod02 spec: containers: - - name: test + - name: nginx image: ghcr.io/kyverno/test-verify-image:unsigned - name: busybox - image: docker.io/library/busybox:latest + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -25,9 +25,9 @@ metadata: spec: containers: - name: busybox - image: docker.io/library/busybox:latest + image: busybox:1.35 - name: nginx - image: test + image: ghcr.io/kyverno/test-verify-image:unsigned --- apiVersion: v1 kind: Pod @@ -38,4 +38,4 @@ spec: - name: busybox image: quay.io/quay/busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml b/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml index cf44ccd83..ec771040e 100644 --- a/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml +++ b/other/require-imagepullsecrets/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: myregistrykey --- @@ -27,7 +27,7 @@ spec: - name: nginx image: ghcr.io/kyverno/test-verify-image:unsigned - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: myregistrykey --- @@ -38,7 +38,7 @@ metadata: spec: containers: - name: nginx - image: ghcr.io/kyverno/test-nginx:1.12 + image: nginx:1.12 - name: busybox image: quay.io/quay/busybox imagePullSecrets: diff --git a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml index 6d54ff516..b045809ce 100644 --- a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox - image: docker.io/library/busybox:latest + image: busybox:1.35 - name: nginx image: ghcr.io/kyverno/test-verify-image:unsigned --- @@ -33,7 +33,7 @@ spec: spec: containers: - name: nginx - image: docker.io/library/busybox:latest + image: ghcr.io/kyverno/test-verify-image:unsigned - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml index 145420ad8..42e09323a 100644 --- a/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-imagepullsecrets/.chainsaw-test/podcontroller-good.yaml @@ -19,7 +19,7 @@ spec: - name: nginx image: ghcr.io/kyverno/test-verify-image:unsigned - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: myregistrykey --- @@ -37,7 +37,7 @@ spec: - name: nginx image: ghcr.io/kyverno/test-verify-image:unsigned - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 imagePullSecrets: - name: myregistrykey restartPolicy: OnFailure \ No newline at end of file diff --git a/other/require-imagepullsecrets/artifacthub-pkg.yml b/other/require-imagepullsecrets/artifacthub-pkg.yml index 01f0b55fc..a4f1a2be1 100644 --- a/other/require-imagepullsecrets/artifacthub-pkg.yml +++ b/other/require-imagepullsecrets/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: d8d0e0f4e0c34ddb01bcce40e04b12250f31258dd65e86cf3d6698e943bd4f39 +digest: f3c4d38ad9226792773c837a5d87c53785a7b5e81cd32c9d6904afed09f05658 diff --git a/other/require-imagepullsecrets/require-imagepullsecrets.yaml b/other/require-imagepullsecrets/require-imagepullsecrets.yaml index bbae63228..ba65bf9b9 100644 --- a/other/require-imagepullsecrets/require-imagepullsecrets.yaml +++ b/other/require-imagepullsecrets/require-imagepullsecrets.yaml @@ -12,7 +12,7 @@ metadata: from them. This policy checks those images and if they come from a registry other than ghcr.io or quay.io an `imagePullSecret` is required. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-for-image-pull-secrets diff --git a/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml index ba4f64d57..4fa797722 100755 --- a/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-ingress-https status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-ingress-https/.chainsaw-test/chainsaw-test.yaml b/other/require-ingress-https/.chainsaw-test/chainsaw-test.yaml index 3f4fe55e5..65d26e4b2 100755 --- a/other/require-ingress-https/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-ingress-https/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-ingress-https.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-ingress-https - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-ingress-https.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-ingress-https diff --git a/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml b/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml index c3d232f9b..ae1d49976 100644 --- a/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml +++ b/other/require-ingress-https/.chainsaw-test/ingress-bad.yaml @@ -32,7 +32,7 @@ spec: ingressClassName: nginx-int rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix @@ -64,7 +64,7 @@ spec: ingressClassName: nginx-int rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix @@ -99,7 +99,7 @@ spec: ingressClassName: nginx-int rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/require-ingress-https/.chainsaw-test/ingress-good.yaml b/other/require-ingress-https/.chainsaw-test/ingress-good.yaml index acd7a9317..2a168ed5f 100644 --- a/other/require-ingress-https/.chainsaw-test/ingress-good.yaml +++ b/other/require-ingress-https/.chainsaw-test/ingress-good.yaml @@ -9,7 +9,7 @@ spec: ingressClassName: someingress rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -33,7 +33,7 @@ spec: ingressClassName: nginx-int rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix @@ -43,7 +43,7 @@ spec: port: number: 80 - host: endpoint02 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/require-ingress-https/.kyverno-test/kyverno-test.yaml b/other/require-ingress-https/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 530b4fe66..000000000 --- a/other/require-ingress-https/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-ingress-https -policies: -- ../require-ingress-https.yaml -resources: -- resource.yaml -results: -- kind: Ingress - policy: require-ingress-https - resources: - - goodingress01 - - goodingress02 - result: pass - rule: has-annotation -- kind: Ingress - policy: require-ingress-https - resources: - - goodingress01 - - goodingress02 - result: pass - rule: has-tls -- kind: Ingress - policy: require-ingress-https - resources: - - badingress01 - - badingress02 - - badingress03 - result: fail - rule: has-annotation -- kind: Ingress - policy: require-ingress-https - resources: - - badingress04 - result: fail - rule: has-tls - diff --git a/other/require-ingress-https/.kyverno-test/resource.yaml b/other/require-ingress-https/.kyverno-test/resource.yaml deleted file mode 100644 index e1a3fa535..000000000 --- a/other/require-ingress-https/.kyverno-test/resource.yaml +++ /dev/null @@ -1,180 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "true" - name: badingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress02 - annotations: - kyverno.io/foo: bar -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: badingress03 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "false" - name: badingress04 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kyverno.io/foo: bar - kubernetes.io/ingress.allow-http: "false" - name: goodingress01 -spec: - ingressClassName: someingress - rules: - - host: endpoint01 - http: - paths: - - backend: - service: - name: demo-svc - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - endpoint01 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.allow-http: "false" - kyverno.io/foo: bar - name: goodingress02 -spec: - ingressClassName: nginx-int - rules: - - host: endpoint01 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - - host: endpoint02 - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 - tls: - - hosts: - - endpoint01 - - endpoint02 - diff --git a/other/require-ingress-https/artifacthub-pkg.yml b/other/require-ingress-https/artifacthub-pkg.yml index 1c33821f8..74f1bbfd3 100644 --- a/other/require-ingress-https/artifacthub-pkg.yml +++ b/other/require-ingress-https/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Ingress" -digest: cdb852e2d5ddb156f5e85f1762d96019ea169f10cac73cace3b0cc5a50383e0e +digest: 982d69a4f52345017974fd7bb4d7de95223a9ab3570caae9796c5f99374d5e02 diff --git a/other/require-ingress-https/require-ingress-https.yaml b/other/require-ingress-https/require-ingress-https.yaml index 446c18638..245c2e963 100644 --- a/other/require-ingress-https/require-ingress-https.yaml +++ b/other/require-ingress-https/require-ingress-https.yaml @@ -16,7 +16,7 @@ metadata: `"false"` and specify TLS in the spec. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: has-annotation match: diff --git a/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8f601d225..4c125b9cf 100755 --- a/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-network-policy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-netpol/.chainsaw-test/chainsaw-test.yaml b/other/require-netpol/.chainsaw-test/chainsaw-test.yaml index 5354181df..2b8711fde 100755 --- a/other/require-netpol/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-netpol/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: netpol.yaml - - apply: - file: ../require-netpol.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-network-policy - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-netpol.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: deploy-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-network-policy diff --git a/other/require-netpol/.chainsaw-test/deploy-bad.yaml b/other/require-netpol/.chainsaw-test/deploy-bad.yaml index 182791010..b519536ec 100644 --- a/other/require-netpol/.chainsaw-test/deploy-bad.yaml +++ b/other/require-netpol/.chainsaw-test/deploy-bad.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 --- @@ -35,7 +35,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 --- @@ -57,7 +57,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -78,4 +78,4 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-netpol/.chainsaw-test/deploy-good.yaml b/other/require-netpol/.chainsaw-test/deploy-good.yaml index 434f62123..5ae682bba 100644 --- a/other/require-netpol/.chainsaw-test/deploy-good.yaml +++ b/other/require-netpol/.chainsaw-test/deploy-good.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 --- @@ -38,7 +38,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -60,4 +60,4 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-netpol/artifacthub-pkg.yml b/other/require-netpol/artifacthub-pkg.yml index 924016008..4f08f4b1d 100644 --- a/other/require-netpol/artifacthub-pkg.yml +++ b/other/require-netpol/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Deployment, NetworkPolicy" -digest: 29a64b1f99f0a4219f4f077557f0774f61ce728e6bb77b082e6e22c5c02ca9ae +digest: d686b188180446c5c25e5bcfa3964da763bffa1a81bda457563c6f965fe2b9b7 diff --git a/other/require-netpol/require-netpol.yaml b/other/require-netpol/require-netpol.yaml index f8a4d848a..87da7eb3d 100644 --- a/other/require-netpol/require-netpol.yaml +++ b/other/require-netpol/require-netpol.yaml @@ -15,7 +15,7 @@ metadata: traffic. This policy checks incoming Deployments to ensure they have a matching, preexisting NetworkPolicy. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: require-network-policy diff --git a/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 637e72bac..b51263787 100755 --- a/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-non-root-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-non-root-groups status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml b/other/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml index 2a86bed6a..7941f129d 100755 --- a/other/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-non-root-groups/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-non-root-groups.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-non-root-groups - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-non-root-groups.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-non-root-groups diff --git a/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml b/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml index 64313b235..af72489a1 100644 --- a/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml +++ b/other/require-non-root-groups/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -25,7 +25,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -36,7 +36,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -49,9 +49,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -60,9 +60,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -73,9 +73,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -86,9 +86,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -101,11 +101,11 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -118,12 +118,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -134,10 +134,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -150,12 +150,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -168,12 +168,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -184,14 +184,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -202,12 +202,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -218,7 +218,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: supplementalGroups: [0] --- @@ -229,7 +229,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: supplementalGroups: [14,0] --- @@ -240,7 +240,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: fsGroup: 0 --- diff --git a/other/require-non-root-groups/.chainsaw-test/pod-good.yaml b/other/require-non-root-groups/.chainsaw-test/pod-good.yaml index 5a1a5a4f7..712cd7520 100644 --- a/other/require-non-root-groups/.chainsaw-test/pod-good.yaml +++ b/other/require-non-root-groups/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -16,7 +16,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -27,7 +27,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -40,9 +40,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -53,9 +53,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -68,10 +68,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -82,12 +82,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -98,12 +98,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -114,14 +114,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -132,16 +132,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -152,7 +152,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 supplementalGroups: [32] @@ -164,7 +164,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 supplementalGroups: [32,94] @@ -176,7 +176,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 fsGroup: 32 \ No newline at end of file diff --git a/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml b/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml index b6ab78f8e..5f56fe9c0 100644 --- a/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-non-root-groups/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -32,7 +32,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -52,7 +52,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -72,7 +72,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -94,9 +94,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -114,9 +114,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -136,9 +136,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -158,9 +158,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -182,11 +182,11 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -208,12 +208,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -233,10 +233,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -258,12 +258,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -285,12 +285,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -310,14 +310,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -337,12 +337,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -359,7 +359,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -374,7 +374,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -391,7 +391,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -408,7 +408,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -427,9 +427,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -444,9 +444,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -463,9 +463,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -482,9 +482,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -503,11 +503,11 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 securityContext: @@ -526,12 +526,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -548,10 +548,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -570,12 +570,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -594,12 +594,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -616,14 +616,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -640,12 +640,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 0 --- @@ -665,7 +665,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: supplementalGroups: [0] --- @@ -685,7 +685,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: supplementalGroups: [14,0] --- @@ -702,7 +702,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: supplementalGroups: [0] --- @@ -719,7 +719,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: supplementalGroups: [14,0] --- @@ -739,7 +739,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: fsGroup: 0 --- @@ -756,6 +756,6 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: fsGroup: 0 \ No newline at end of file diff --git a/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml b/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml index c8edb5d19..221eae1a4 100644 --- a/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-non-root-groups/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -34,7 +34,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -54,7 +54,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -76,9 +76,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -98,9 +98,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -122,10 +122,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -145,12 +145,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -170,12 +170,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -195,14 +195,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -222,16 +222,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -249,7 +249,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -266,7 +266,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -283,7 +283,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -302,9 +302,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -321,9 +321,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 securityContext: @@ -342,10 +342,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -362,12 +362,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -384,12 +384,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -406,14 +406,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -430,16 +430,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 --- @@ -459,7 +459,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 supplementalGroups: [32] @@ -480,7 +480,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 supplementalGroups: [32,94] @@ -498,7 +498,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 supplementalGroups: [32] @@ -516,7 +516,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 supplementalGroups: [32,94] @@ -537,7 +537,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 fsGroup: 32 @@ -555,7 +555,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsGroup: 1 fsGroup: 32 diff --git a/other/require-non-root-groups/artifacthub-pkg.yml b/other/require-non-root-groups/artifacthub-pkg.yml index 0d4fc388b..dd9b5a84c 100644 --- a/other/require-non-root-groups/artifacthub-pkg.yml +++ b/other/require-non-root-groups/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Sample, EKS Best Practices" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 541ab5a775533b779bf097c3690b94eccee05dfd9938714950ae21ccebdac1cd +digest: bacd5ec5a02c3be4fb7be44e3ecc9f4adef25539e3c363fd295494e9702843c4 diff --git a/other/require-non-root-groups/require-non-root-groups.yaml b/other/require-non-root-groups/require-non-root-groups.yaml index 1e855ca33..450ec1c64 100644 --- a/other/require-non-root-groups/require-non-root-groups.yaml +++ b/other/require-non-root-groups/require-non-root-groups.yaml @@ -16,7 +16,7 @@ metadata: greater than zero (i.e., non root). A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-runasgroup diff --git a/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8c2b4707b..e82f379c7 100755 --- a/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-pdb status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-pdb/.chainsaw-test/chainsaw-test.yaml b/other/require-pdb/.chainsaw-test/chainsaw-test.yaml index 518aff3a6..077a26ee8 100755 --- a/other/require-pdb/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-pdb/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: pdb.yaml - - apply: - file: ../require-pdb.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-pdb - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-pdb.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -38,3 +30,10 @@ spec: - check: ($error != null): true file: ss-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-pdb diff --git a/other/require-pdb/.chainsaw-test/deploy-bad.yaml b/other/require-pdb/.chainsaw-test/deploy-bad.yaml index 7886dee79..b86c8bfbb 100644 --- a/other/require-pdb/.chainsaw-test/deploy-bad.yaml +++ b/other/require-pdb/.chainsaw-test/deploy-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -39,4 +39,4 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-pdb/.chainsaw-test/deploy-good.yaml b/other/require-pdb/.chainsaw-test/deploy-good.yaml index 6a4f7f2e1..2512d20a3 100644 --- a/other/require-pdb/.chainsaw-test/deploy-good.yaml +++ b/other/require-pdb/.chainsaw-test/deploy-good.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -39,4 +39,4 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-pdb/.chainsaw-test/ss-bad.yaml b/other/require-pdb/.chainsaw-test/ss-bad.yaml index 02d9a3b2a..d27b52eb1 100644 --- a/other/require-pdb/.chainsaw-test/ss-bad.yaml +++ b/other/require-pdb/.chainsaw-test/ss-bad.yaml @@ -15,7 +15,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: StatefulSet @@ -35,4 +35,4 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-pdb/.chainsaw-test/ss-good.yaml b/other/require-pdb/.chainsaw-test/ss-good.yaml index b61262bd5..2b962e004 100644 --- a/other/require-pdb/.chainsaw-test/ss-good.yaml +++ b/other/require-pdb/.chainsaw-test/ss-good.yaml @@ -17,7 +17,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: StatefulSet @@ -36,4 +36,4 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busbyox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/other/require-pdb/artifacthub-pkg.yml b/other/require-pdb/artifacthub-pkg.yml index 6890900b2..35bfe5bd0 100644 --- a/other/require-pdb/artifacthub-pkg.yml +++ b/other/require-pdb/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Sample, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Deployment, PodDisruptionBudget" -digest: 13a247c0635beb4f7b605795a996fe6842bd742539b4df06d05ca7dc99a73354 +digest: fd512d593d6284ba1b90523d4c93368e193499dc30cf5a406b53d8d6ca75dc30 diff --git a/other/require-pdb/require-pdb.yaml b/other/require-pdb/require-pdb.yaml index 8033df82f..64d8a2acf 100644 --- a/other/require-pdb/require-pdb.yaml +++ b/other/require-pdb/require-pdb.yaml @@ -15,7 +15,7 @@ metadata: to ensure they have a matching, preexisting PodDisruptionBudget. Note: This policy must be run in `enforce` mode to ensure accuracy. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: require-pdb diff --git a/other/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml b/other/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml index f1b48f78c..6440e2ff1 100755 --- a/other/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-pod-priorityclassname/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml b/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml index 25c58c50b..8ca6bd275 100644 --- a/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml +++ b/other/require-pod-priorityclassname/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: "" --- apiVersion: v1 @@ -15,4 +15,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml b/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml index 469a0f33a..77c66a524 100644 --- a/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml +++ b/other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml @@ -5,5 +5,5 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: high \ No newline at end of file diff --git a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml index c761d14a1..cbb574a94 100644 --- a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -29,4 +29,4 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml index 5396df2b8..c90891887 100644 --- a/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-pod-priorityclassname/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: high --- apiVersion: batch/v1 @@ -30,5 +30,5 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 priorityClassName: high \ No newline at end of file diff --git a/other/require-pod-priorityclassname/artifacthub-pkg.yml b/other/require-pod-priorityclassname/artifacthub-pkg.yml index 85d2fe331..ad7219941 100644 --- a/other/require-pod-priorityclassname/artifacthub-pkg.yml +++ b/other/require-pod-priorityclassname/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Multi-Tenancy, EKS Best Practices" kyverno/subject: "Pod" -digest: 80346b515ceeb68cc07c7e605423063389772475dc8d14fbf316f6be329991ab +digest: cd90184711eef81fd5a640c90d12517c05360ba1f22eed6fb00a3d6585451549 diff --git a/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml b/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml index 23d11fe71..746652bba 100644 --- a/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml +++ b/other/require-pod-priorityclassname/require-pod-priorityclassname.yaml @@ -15,7 +15,7 @@ metadata: scheduling guarantees. This policy requires that a Pod defines the priorityClassName field with some value. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: true rules: - name: check-priorityclassname diff --git a/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 1f02c7af6..a8e1ef52a 100755 --- a/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-qos-burstable status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml b/other/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml index af409c7f9..07e44e2b5 100755 --- a/other/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-qos-burstable/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-qos-burstable.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-qos-burstable - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-qos-burstable.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-qos-burstable diff --git a/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml b/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml index b16ba3020..94c229340 100644 --- a/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml +++ b/other/require-qos-burstable/.chainsaw-test/pod-bad.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,6 +18,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-qos-burstable/.chainsaw-test/pod-good.yaml b/other/require-qos-burstable/.chainsaw-test/pod-good.yaml index 2ec7cf140..9fd1bcce1 100644 --- a/other/require-qos-burstable/.chainsaw-test/pod-good.yaml +++ b/other/require-qos-burstable/.chainsaw-test/pod-good.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "50Mi" @@ -24,9 +24,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: memory: "100Mi" @@ -40,12 +40,12 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -56,9 +56,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: "1" @@ -72,9 +72,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: cpu: "1" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml b/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml index e91d8ed23..88f2c188b 100644 --- a/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-qos-burstable/.chainsaw-test/podcontroller-bad.yaml @@ -14,9 +14,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -31,6 +31,6 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml b/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml index dd1b477ff..a57f80ec2 100644 --- a/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-qos-burstable/.chainsaw-test/podcontroller-good.yaml @@ -14,9 +14,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: memory: "100Mi" @@ -34,9 +34,9 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: cpu: "1" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-qos-burstable/artifacthub-pkg.yml b/other/require-qos-burstable/artifacthub-pkg.yml index dd93ce0fc..99ef9e693 100644 --- a/other/require-qos-burstable/artifacthub-pkg.yml +++ b/other/require-qos-burstable/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "Pod" -digest: 0373fe0fb9acfb4ce9d2c70de1ed87e94fb223e8fdca74785ec1130a66f7859a +digest: 306ca9dddcba820b33b51b41e32884d7f21cdbfd3d244bfb481688ba44d34b5c diff --git a/other/require-qos-burstable/require-qos-burstable.yaml b/other/require-qos-burstable/require-qos-burstable.yaml index 5f1ec55b8..bbb5810e5 100644 --- a/other/require-qos-burstable/require-qos-burstable.yaml +++ b/other/require-qos-burstable/require-qos-burstable.yaml @@ -16,7 +16,7 @@ metadata: This policy is provided with the intention that users will need to control its scope by using exclusions, preconditions, and other policy language mechanisms. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: burstable diff --git a/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 08c5d44e0..7d014a1b1 100755 --- a/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-qos-guaranteed/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-qos-guaranteed status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml b/other/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml index 92941d4d3..2c10f3974 100755 --- a/other/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-qos-guaranteed/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-qos-guaranteed.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-qos-guaranteed - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-qos-guaranteed.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-qos-guaranteed diff --git a/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml b/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml index 73a785cf5..9cd0cbc6a 100644 --- a/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml +++ b/other/require-qos-guaranteed/.chainsaw-test/pod-bad.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" @@ -24,13 +24,13 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "50Mi" cpu: "2" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: limits: memory: "100Mi" @@ -45,12 +45,12 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "50Mi" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -61,6 +61,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml b/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml index 0b9826f4d..f9ae97536 100644 --- a/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml +++ b/other/require-qos-guaranteed/.chainsaw-test/pod-good.yaml @@ -7,7 +7,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" @@ -25,7 +25,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "50Mi" @@ -34,7 +34,7 @@ spec: memory: "50Mi" cpu: "2" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" diff --git a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml index 37882316a..7a363df17 100644 --- a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml +++ b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-bad.yaml @@ -14,14 +14,14 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" limits: cpu: "1" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,9 +36,9 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "50Mi" diff --git a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml index 514a21f0e..b9d919b36 100644 --- a/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml +++ b/other/require-qos-guaranteed/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "200Mi" @@ -23,7 +23,7 @@ spec: memory: "200Mi" cpu: "2" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" @@ -45,7 +45,7 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "100Mi" @@ -54,7 +54,7 @@ spec: memory: "100Mi" cpu: "1" - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 resources: requests: memory: "50Mi" diff --git a/other/require-qos-guaranteed/artifacthub-pkg.yml b/other/require-qos-guaranteed/artifacthub-pkg.yml index b98b980ef..5a67ea056 100644 --- a/other/require-qos-guaranteed/artifacthub-pkg.yml +++ b/other/require-qos-guaranteed/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "Pod" -digest: 9e79f00aeb00fc07f1b30cb8db0aa6e43b578a4668bce76c14e1094e06e59c6d +digest: 3ecceebb826c81f7b5519068a0148af2d3d45055ceff3ad31fd9b21551c1a904 diff --git a/other/require-qos-guaranteed/require-qos-guaranteed.yaml b/other/require-qos-guaranteed/require-qos-guaranteed.yaml index 1e30cf89f..8f1f0f3ac 100644 --- a/other/require-qos-guaranteed/require-qos-guaranteed.yaml +++ b/other/require-qos-guaranteed/require-qos-guaranteed.yaml @@ -17,7 +17,7 @@ metadata: intention that users will need to control its scope by using exclusions, preconditions, and other policy language mechanisms. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: guaranteed diff --git a/other/require-reasonable-pdbs/.chainsaw-test/chainsaw-test.yaml b/other/require-reasonable-pdbs/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index a746a077c..000000000 --- a/other/require-reasonable-pdbs/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-reasonable-pdbs -spec: - steps: - - name: 01 - Create policy and set to Enforce - try: - - apply: - file: ../require-reasonable-pdbs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-reasonable-pdbs - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create PDBs - try: - - apply: - file: ../.kyverno-test/pdb-maxUnavailable-good.yaml - - apply: - file: ../.kyverno-test/pdb-minAvailable-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: ../.kyverno-test/pdb-maxUnavailable-bad.yaml - - apply: - expect: - - check: - ($error != null): true - file: ../.kyverno-test/pdb-minAvailable-bad.yaml diff --git a/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml b/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 3b8e14c81..000000000 --- a/other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-reasonable-pdbs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/require-reasonable-pdbs/.kyverno-test/kyverno-test.yaml b/other/require-reasonable-pdbs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 71f0d78d0..000000000 --- a/other/require-reasonable-pdbs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-reasonable-pdbs -policies: -- ../require-reasonable-pdbs.yaml -resources: -- pdb-maxUnavailable-bad.yaml -- pdb-maxUnavailable-good.yaml -- pdb-minAvailable-bad.yaml -- pdb-minAvailable-good.yaml -results: -- kind: PodDisruptionBudget - policy: require-reasonable-pdbs - rule: require-reasonable-pdb-percentage - resources: - - good-maxUnavailable-pdb01 - - good-maxUnavailable-pdb02 - - good-maxUnavailable-pdb03 - - good-maxUnavailable-pdb04 - - good-maxUnavailable-pdb05 - - good-maxUnavailable-pdb06 - - good-maxUnavailable-pdb06 - - good-minAvailable-pdb01 - - good-minAvailable-pdb02 - - good-minAvailable-pdb03 - - good-minAvailable-pdb04 - - good-minAvailable-pdb05 - - good-minAvailable-pdb06 - result: pass -- kind: PodDisruptionBudget - policy: require-reasonable-pdbs - rule: require-reasonable-pdb-percentage - resources: - - bad-maxUnavailable-pdb01 - - bad-maxUnavailable-pdb02 - - bad-maxUnavailable-pdb03 - - bad-maxUnavailable-pdb04 - - bad-maxUnavailable-pdb05 - - bad-maxUnavailable-pdb06 - - bad-minAvailable-pdb01 - - bad-minAvailable-pdb02 - - bad-minAvailable-pdb03 - - bad-minAvailable-pdb04 - - bad-minAvailable-pdb05 - - bad-minAvailable-pdb06 - result: fail diff --git a/other/require-reasonable-pdbs/.kyverno-test/pdb-maxUnavailable-bad.yaml b/other/require-reasonable-pdbs/.kyverno-test/pdb-maxUnavailable-bad.yaml deleted file mode 100644 index ea8b8e7e3..000000000 --- a/other/require-reasonable-pdbs/.kyverno-test/pdb-maxUnavailable-bad.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-maxUnavailable-pdb01 -spec: - maxUnavailable: 49% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-maxUnavailable-pdb02 -spec: - maxUnavailable: 40% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-maxUnavailable-pdb03 -spec: - maxUnavailable: 30% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-maxUnavailable-pdb04 -spec: - maxUnavailable: 20% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-maxUnavailable-pdb05 -spec: - maxUnavailable: 10% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-maxUnavailable-pdb06 -spec: - maxUnavailable: 0% - selector: - matchLabels: - foo: bar ---- diff --git a/other/require-reasonable-pdbs/.kyverno-test/pdb-maxUnavailable-good.yaml b/other/require-reasonable-pdbs/.kyverno-test/pdb-maxUnavailable-good.yaml deleted file mode 100644 index c00d70820..000000000 --- a/other/require-reasonable-pdbs/.kyverno-test/pdb-maxUnavailable-good.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb01 -spec: - maxUnavailable: 50% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb02 -spec: - maxUnavailable: 51% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb03 -spec: - maxUnavailable: 60% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb04 -spec: - maxUnavailable: 70% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb05 -spec: - maxUnavailable: 80% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb06 -spec: - maxUnavailable: 90% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-maxUnavailable-pdb07 -spec: - maxUnavailable: 100% - selector: - matchLabels: - foo: bar ---- diff --git a/other/require-reasonable-pdbs/.kyverno-test/pdb-minAvailable-bad.yaml b/other/require-reasonable-pdbs/.kyverno-test/pdb-minAvailable-bad.yaml deleted file mode 100644 index 44db92626..000000000 --- a/other/require-reasonable-pdbs/.kyverno-test/pdb-minAvailable-bad.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-minAvailable-pdb01 -spec: - minAvailable: 51% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-minAvailable-pdb02 -spec: - minAvailable: 60% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-minAvailable-pdb03 -spec: - minAvailable: 70% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-minAvailable-pdb04 -spec: - minAvailable: 80% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-minAvailable-pdb05 -spec: - minAvailable: 90% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: bad-minAvailable-pdb06 -spec: - minAvailable: 99% - selector: - matchLabels: - foo: bar ---- diff --git a/other/require-reasonable-pdbs/.kyverno-test/pdb-minAvailable-good.yaml b/other/require-reasonable-pdbs/.kyverno-test/pdb-minAvailable-good.yaml deleted file mode 100644 index bdec4a3e5..000000000 --- a/other/require-reasonable-pdbs/.kyverno-test/pdb-minAvailable-good.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-minAvailable-pdb01 -spec: - minAvailable: 50% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-minAvailable-pdb02 -spec: - minAvailable: 40% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-minAvailable-pdb03 -spec: - minAvailable: 30% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-minAvailable-pdb04 -spec: - minAvailable: 20% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-minAvailable-pdb05 -spec: - minAvailable: 10% - selector: - matchLabels: - foo: bar ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: good-minAvailable-pdb06 -spec: - minAvailable: 1% - selector: - matchLabels: - foo: bar ---- diff --git a/other/require-reasonable-pdbs/.kyverno-test/values.yaml b/other/require-reasonable-pdbs/.kyverno-test/values.yaml deleted file mode 100644 index 3a84da8ec..000000000 --- a/other/require-reasonable-pdbs/.kyverno-test/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Values -policies: -- name: require-pdb - rules: - - name: require-pdb - values: - pdb_count: "1" diff --git a/other/require-reasonable-pdbs/artifact-hub.yml b/other/require-reasonable-pdbs/artifact-hub.yml deleted file mode 100644 index 0555d65a4..000000000 --- a/other/require-reasonable-pdbs/artifact-hub.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: require-reasonable-pdbs -version: 1.0.0 -displayName: Require Reasonable PodDisruptionBudgets -createdAt: "2024-03-03T13:00:00.000Z" -description: >- - PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. - Achieving a balance between availability and maintainability is important. This policy validates that a - PodDisruptionBudget, specified as percentages, allows 50% of the replicas to be out of service in that - minAvailable should be no higher than 50% and maxUnavailable should be no lower than 50%. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/require-reasonable-pdbs/require-reasonable-pdbs.yaml - ``` -keywords: - - kyverno - - Other -readme: | - PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. - Achieving a balance between availability and maintainability is important. This policy validates that a - PodDisruptionBudget, specified as percentages, allows 50% of the replicas to be out of service in that - minAvailable should be no higher than 50% and maxUnavailable should be no lower than 50%. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/subject: "PodDisruptionBudget" -digest: 592330915ebce167296a78ab35e7a6d2207b224e755c6f6213ea991e941086f4 diff --git a/other/require-reasonable-pdbs/require-reasonable-pdbs.yaml b/other/require-reasonable-pdbs/require-reasonable-pdbs.yaml deleted file mode 100644 index be4d1c1ea..000000000 --- a/other/require-reasonable-pdbs/require-reasonable-pdbs.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-reasonable-pdbs - annotations: - policies.kyverno.io/title: Require Reasonable PodDisruptionBudgets - policies.kyverno.io/category: Other - policies.kyverno.io/subject: PodDisruptionBudget - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/description: >- - PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. - Achieving a balance between availability and maintainability is important. This policy validates that a - PodDisruptionBudget, specified as percentages, allows 50% of the replicas to be out of service in that - minAvailable should be no higher than 50% and maxUnavailable should be no lower than 50%. -spec: - validationFailureAction: Audit - background: true - rules: - # Checks if PDB fields minAvailable or maxUnavailable use percentages and, if they do, - # ensures that the percentage allows 50% of the replicas to be out of service. - - name: require-reasonable-pdb-percentage - match: - any: - - resources: - kinds: - - PodDisruptionBudget - # check if either minAvailable or maxUnavailable is a percentage - preconditions: - any: - - key: '{{ regex_match(''^[0-9]+%$'', ''{{ request.object.spec.minAvailable || ''''}}'') }}' - operator: Equals - value: true - - key: '{{ regex_match(''^[0-9]+%$'', ''{{ request.object.spec.maxUnavailable || ''''}}'') }}' - operator: Equals - value: true - validate: - message: >- - PodDisruptionBudget percentages should allow 50% out of service. minAvailable should be no higher than 50% - and maxUnavailable should be no lower than 50%. - # deny if minAvailable is greater than 50% or maxUnavailable is less than 50% - deny: - conditions: - any: - - key: '{{ regex_match(''^([1-9]|[1-4][0-9]|5[0])%$'', ''{{ request.object.spec.minAvailable || ''50%''}}'') }}' - operator: Equals - value: false - - key: '{{ regex_match(''^([5-9][0-9]|100)%$'', ''{{ request.object.spec.maxUnavailable || ''50%''}}'') }}' - operator: Equals - value: false diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml deleted file mode 100644 index 5362da4b2..000000000 --- a/other/require-replicas-allow-disruption/.chainsaw-test/bad-deploy.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bravo-busybox - labels: - app: busybox -spec: - replicas: 2 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.36 - name: busybox - command: ["sleep", "infinity"] diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/chainsaw-test.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 35bfc1cbc..000000000 --- a/other/require-replicas-allow-disruption/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-replicas-allow-disruption -spec: - steps: - - name: 01 - Create policy and set to Enforce - try: - - apply: - file: ../require-replicas-allow-disruption.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-replicas-allow-disruption - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create existing PDBs in cluster - try: - - apply: - file: existing-pdbs.yaml - - name: 03 - Create good Deployment - try: - - apply: - file: good-deploy.yaml - - name: 04 - Create bad Deployment - try: - - apply: - file: bad-deploy.yaml - expect: - - check: - ($error != null): true diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/existing-pdbs.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/existing-pdbs.yaml deleted file mode 100644 index 609407285..000000000 --- a/other/require-replicas-allow-disruption/.chainsaw-test/existing-pdbs.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: pdb01 -spec: - minAvailable: 1 - selector: - matchLabels: - app: busybox ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: pdb02 -spec: - minAvailable: 2 - selector: - matchLabels: - app: busybox diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml deleted file mode 100644 index 49a14ed3f..000000000 --- a/other/require-replicas-allow-disruption/.chainsaw-test/good-deploy.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: alpha-busybox - labels: - app: busybox -spec: - replicas: 3 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:1.36 - name: busybox - command: ["sleep", "infinity"] diff --git a/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml b/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index d690d761f..000000000 --- a/other/require-replicas-allow-disruption/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-replicas-allow-disruption -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/require-replicas-allow-disruption/artifact-hub.yaml b/other/require-replicas-allow-disruption/artifact-hub.yaml deleted file mode 100644 index 05992824d..000000000 --- a/other/require-replicas-allow-disruption/artifact-hub.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: require-replicas-allow-disruption -version: 1.0.0 -displayName: PodDisruptionBudget maxUnavailable Non-Zero with Deployments/StatefulSets -createdAt: "2024-03-03T16:54:00.000Z" -description: >- - Existing PodDisruptionBudgets can apply to all future matching Pod controllers. - If the minAvailable field is defined for such matching PDBs and the replica count of a new - Deployment or StatefulSet is lower than that, then availability could be negatively impacted. - This policy specifies that Deployment/StatefulSet replicas exceed the minAvailable value of all - matching PodDisruptionBudgets which specify minAvailable as a number and not percentage. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml - ``` -keywords: - - kyverno - - Sample -readme: | - Existing PodDisruptionBudgets can apply to all future matching Pod controllers. - If the minAvailable field is defined for such matching PDBs and the replica count of a new - Deployment or StatefulSet is lower than that, then availability could be negatively impacted. - This policy specifies that Deployment/StatefulSet replicas exceed the minAvailable value of all - matching PodDisruptionBudgets which specify minAvailable as a number and not percentage. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "PodDisruptionBudget,Deployment,StatefulSet" -digest: a8e14a59673114b75a06181d3f342b129c4760b4f012a3f4882b467f3387ccdb diff --git a/other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml b/other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml deleted file mode 100644 index 74a047941..000000000 --- a/other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-replicas-allow-disruption - annotations: - policies.kyverno.io/title: Require Replicas Allow Disruption - policies.kyverno.io/category: Other - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: PodDisruptionBudget, Deployment, StatefulSet - policies.kyverno.io/description: >- - Existing PodDisruptionBudgets can apply to all future matching Pod controllers. - If the minAvailable field is defined for such matching PDBs and the replica count of a new - Deployment or StatefulSet is lower than that, then availability could be negatively impacted. - This policy specifies that Deployment/StatefulSet replicas exceed the minAvailable value of all - matching PodDisruptionBudgets which specify minAvailable as a number and not percentage. -spec: - validationFailureAction: Audit - background: false - rules: - - name: replicas-check - match: - any: - - resources: - kinds: - - Deployment - - StatefulSet - operations: - - CREATE - - UPDATE - context: - - name: matchingpdbs - apiCall: - jmesPath: items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] - urlPath: /apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets - preconditions: - all: - - key: "{{ request.object.spec.replicas }}" - operator: GreaterThan - value: 0 - - key: "{{ length(matchingpdbs) }}" - operator: GreaterThan - value: 0 - validate: - message: >- - Replica count ({{ request.object.spec.replicas }}) cannot be less than or equal to the minAvailable of any - matching PodDisruptionBudget. There are {{ length(matchingpdbs) }} PodDisruptionBudgets which match this labelSelector, - not all of which may define a minAvailable value as a number. - foreach: - - list: matchingpdbs - preconditions: - all: - - key: '{{ regex_match(''^[0-9]+$'', ''{{ element.spec.minAvailable || '''' }}'') }}' - operator: Equals - value: true - deny: - conditions: - all: - - key: "{{ request.object.spec.replicas }}" - operator: LessThanOrEquals - value: "{{ element.spec.minAvailable }}" diff --git a/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 741ae585b..4b3bb52d1 100755 --- a/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-storageclass status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-storageclass/.chainsaw-test/chainsaw-test.yaml b/other/require-storageclass/.chainsaw-test/chainsaw-test.yaml index 52d166e39..9d42ca9c0 100755 --- a/other/require-storageclass/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-storageclass/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-storageclass.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-storageclass - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-storageclass.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: pvc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-storageclass diff --git a/other/require-storageclass/.chainsaw-test/ss-bad.yaml b/other/require-storageclass/.chainsaw-test/ss-bad.yaml index a930f7a6c..024c50372 100644 --- a/other/require-storageclass/.chainsaw-test/ss-bad.yaml +++ b/other/require-storageclass/.chainsaw-test/ss-bad.yaml @@ -16,7 +16,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 80 name: web diff --git a/other/require-storageclass/.chainsaw-test/ss-good.yaml b/other/require-storageclass/.chainsaw-test/ss-good.yaml index 4962ec721..6078a1b32 100644 --- a/other/require-storageclass/.chainsaw-test/ss-good.yaml +++ b/other/require-storageclass/.chainsaw-test/ss-good.yaml @@ -15,7 +15,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeClaimTemplates: - metadata: name: www @@ -43,4 +43,4 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-storageclass/artifacthub-pkg.yml b/other/require-storageclass/artifacthub-pkg.yml index 7328fe938..6df82ceba 100644 --- a/other/require-storageclass/artifacthub-pkg.yml +++ b/other/require-storageclass/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "PersistentVolumeClaim, StatefulSet" -digest: 4406764cb5789780214b436f63b473b52ad60a71d7ff04f7a535810b83b882e7 +digest: e99e3f27171a721aa76970de2f591c33104b08886120a17baaa0679e7e09c76a diff --git a/other/require-storageclass/require-storageclass.yaml b/other/require-storageclass/require-storageclass.yaml index 235a7d4cc..9946e705b 100644 --- a/other/require-storageclass/require-storageclass.yaml +++ b/other/require-storageclass/require-storageclass.yaml @@ -14,7 +14,7 @@ metadata: StorageClasses. This policy requires that PVCs and StatefulSets containing volumeClaimTemplates define the storageClassName field with some value. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: pvc-storageclass diff --git a/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml index aca3243c3..d7d9c6219 100755 --- a/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-unique-external-dns/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: unique-external-dns status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-unique-external-dns/.chainsaw-test/chainsaw-test.yaml b/other/require-unique-external-dns/.chainsaw-test/chainsaw-test.yaml index 8ed6169db..1cf22381b 100755 --- a/other/require-unique-external-dns/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-unique-external-dns/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: svc.yaml - - apply: - file: ../require-unique-external-dns.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: unique-external-dns - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-unique-external-dns.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: svc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: unique-external-dns diff --git a/other/require-unique-external-dns/artifacthub-pkg.yml b/other/require-unique-external-dns/artifacthub-pkg.yml index 6905f4a3f..257a9d887 100644 --- a/other/require-unique-external-dns/artifacthub-pkg.yml +++ b/other/require-unique-external-dns/artifacthub-pkg.yml @@ -1,5 +1,5 @@ name: require-unique-external-dns -version: 1.0.1 +version: 1.0.0 displayName: Require Unique External DNS Services createdAt: "2023-04-10T20:30:05.000Z" description: >- @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.21" kyverno/subject: "Service" -digest: b3ce771e03d3b5519be378a040633219fea076f0987e7b9e6324e4dd6ff748bc +digest: e3953f6fa18f210e5f5f2903c59bd606bd9c518fe94948326dcb739cc1146ba1 diff --git a/other/require-unique-external-dns/require-unique-external-dns.yaml b/other/require-unique-external-dns/require-unique-external-dns.yaml index c5279428e..dff28b85f 100644 --- a/other/require-unique-external-dns/require-unique-external-dns.yaml +++ b/other/require-unique-external-dns/require-unique-external-dns.yaml @@ -16,7 +16,7 @@ metadata: internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique hostname present in the value of the annotation. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: ensure-valid-externaldns-annotation @@ -32,7 +32,7 @@ spec: - name: alldns apiCall: urlPath: "/api/v1/services" - jmesPath: "items[?[metadata.namespace, metadata.name] != ['{{request.object.metadata.namespace}}', '{{request.object.metadata.name}}']].metadata.annotations.\"external-dns.alpha.kubernetes.io/hostname\"" + jmesPath: "items[].metadata.annotations.\"external-dns.alpha.kubernetes.io/hostname\"" preconditions: all: - key: "{{ request.operation || 'BACKGROUND' }}" diff --git a/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 03c5e82b1..9ef98f47d 100755 --- a/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-unique-service-selector/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-unique-service-selector status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-unique-service-selector/.chainsaw-test/chainsaw-test.yaml b/other/require-unique-service-selector/.chainsaw-test/chainsaw-test.yaml index 1a677f1ce..e9468dcf3 100755 --- a/other/require-unique-service-selector/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-unique-service-selector/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: svc.yaml - - apply: - file: ../require-unique-service-selector.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-unique-service-selector - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-unique-service-selector.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: svc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-unique-service-selector diff --git a/other/require-unique-service-selector/artifacthub-pkg.yml b/other/require-unique-service-selector/artifacthub-pkg.yml index 2e6bc7bd1..9749c0d5d 100644 --- a/other/require-unique-service-selector/artifacthub-pkg.yml +++ b/other/require-unique-service-selector/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Service" -digest: 5eab14f82192be84034e365e64a6af4b6be246f0037fe3cd4e774ee8cb5503f2 +digest: 5e6dd5321e79e2317b3d48f72404ec38fe5ab197e588b41af0e12697b4d02e82 diff --git a/other/require-unique-service-selector/require-unique-service-selector.yaml b/other/require-unique-service-selector/require-unique-service-selector.yaml index 5d64b9a88..a5572c18f 100644 --- a/other/require-unique-service-selector/require-unique-service-selector.yaml +++ b/other/require-unique-service-selector/require-unique-service-selector.yaml @@ -14,7 +14,7 @@ metadata: consequences. This policy ensures that within the same Namespace a Service has a unique set of labels as a selector. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-service-selector diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 2ad06cf41..440fe2a4c 100755 --- a/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-unique-uid-per-workload status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-test.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-test.yaml index 6bc8533f4..95962fac4 100755 --- a/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-test.yaml +++ b/other/require-unique-uid-per-workload/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: pods.yaml - - apply: - file: ../require-unique-uid-per-workload.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-unique-uid-per-workload - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-unique-uid-per-workload.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: pod-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-unique-uid-per-workload diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml index d0dd4d169..bad20ef1a 100644 --- a/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml +++ b/other/require-unique-uid-per-workload/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 144 --- @@ -16,11 +16,11 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1234 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 122 --- @@ -31,10 +31,10 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 122 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 144 \ No newline at end of file diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml index 8ec3174c7..86867dfbe 100644 --- a/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml +++ b/other/require-unique-uid-per-workload/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2234 --- @@ -16,8 +16,8 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 3232 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml b/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml index e5361c89e..2932c9b42 100644 --- a/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml +++ b/other/require-unique-uid-per-workload/.chainsaw-test/pods.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1234 --- @@ -16,10 +16,10 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 144 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 111 \ No newline at end of file diff --git a/other/require-unique-uid-per-workload/artifacthub-pkg.yml b/other/require-unique-uid-per-workload/artifacthub-pkg.yml index e2528dd38..e07b2f984 100644 --- a/other/require-unique-uid-per-workload/artifacthub-pkg.yml +++ b/other/require-unique-uid-per-workload/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.20" kyverno/subject: "Pod" -digest: 9ab36010faaa527346b15d2a923949d0aa8578179a59af9dfdd4e13c782e4149 +digest: 5673faa10e2ca3fe1f6bc9d45f69e7deb22342fe9b4a4981a02b139f52773ef6 diff --git a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml index 713ee8434..653b8edcb 100644 --- a/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml +++ b/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml @@ -18,7 +18,7 @@ metadata: kyverno.io/kubernetes-version: "1.20" spec: background: false - validationFailureAction: Audit + validationFailureAction: audit rules: - name: require-unique-uid match: diff --git a/other/require-vulnerability-scan/artifacthub-pkg.yml b/other/require-vulnerability-scan/artifacthub-pkg.yml index 45d6b28ae..efa9ce1a0 100644 --- a/other/require-vulnerability-scan/artifacthub-pkg.yml +++ b/other/require-vulnerability-scan/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Software Supply Chain Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: b17dd860ebad820becd3996eb69887e58f508cfc1167fa1d33137d1844915013 +digest: e0ee103ddd3d4dde09b63bc2295791747231ba0f3fef843c0f543cf7ac456e82 diff --git a/other/require-vulnerability-scan/require-vulnerability-scan.yaml b/other/require-vulnerability-scan/require-vulnerability-scan.yaml index c6f71e297..7d2fdebcb 100644 --- a/other/require-vulnerability-scan/require-vulnerability-scan.yaml +++ b/other/require-vulnerability-scan/require-vulnerability-scan.yaml @@ -19,7 +19,7 @@ metadata: policy is expected to be customized based upon your signing strategy and applicable to the images you designate. spec: - validationFailureAction: Audit + validationFailureAction: audit webhookTimeoutSeconds: 10 failurePolicy: Fail rules: diff --git a/other/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml b/other/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml index 4955a1271..bd4937951 100755 --- a/other/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml +++ b/other/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml b/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml index beb41ff21..30cd5da24 100644 --- a/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml +++ b/other/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 --- apiVersion: batch/v1 kind: CronJob @@ -33,7 +33,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml b/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml index 535f4e9ee..73738614d 100644 --- a/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml +++ b/other/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml @@ -17,9 +17,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: batch/v1 kind: CronJob @@ -33,7 +33,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml b/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml index e9ddd787f..1d4567cdf 100644 --- a/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml +++ b/other/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 --- apiVersion: v1 kind: Pod @@ -14,6 +14,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 - name: busybox02 - image: ghcr.io/kyverno/test-busybox@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + image: index.docker.io/library/busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 diff --git a/other/resolve-image-to-digest/.chainsaw-test/pods.yaml b/other/resolve-image-to-digest/.chainsaw-test/pods.yaml index de8c9dae3..7e4cd58e4 100644 --- a/other/resolve-image-to-digest/.chainsaw-test/pods.yaml +++ b/other/resolve-image-to-digest/.chainsaw-test/pods.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 --- apiVersion: v1 kind: Pod @@ -14,6 +14,6 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.28 + image: busybox:1.28 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.28 \ No newline at end of file + image: busybox:1.28 \ No newline at end of file diff --git a/other/resource-creation-updating-denied/.chainsaw-test/chainsaw-test.yaml b/other/resource-creation-updating-denied/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 8065afcb3..000000000 --- a/other/resource-creation-updating-denied/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: resource-creation-updating-denied -spec: - steps: - - name: test-resource-creation-updating-denied - try: - - apply: - file: ../resource-creation-updating-denied.yaml - - assert: - file: policy-assert.yaml - - script: - content: | - current_time=$(date -u +%H) - current_time_1hour=$(date -u -d "+1 hour" +%H) - sed -e "s/value: .*/value: ${current_time}-${current_time_1hour}/" -e 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../resource-creation-updating-denied.yaml | kubectl apply -f - - - assert: - file: enforce-policy-assert.yaml - - apply: - expect: - - check: - ($error != null): true - file: resource.yaml - - script: - content: | - current_time_2hours=$(date -u -d "+2 hour" +%H) - current_time_3hours=$(date -u -d "+3 hour" +%H) - sed -e "s/value: .*/value: ${current_time_2hours}-${current_time_3hours}/" -e 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../resource-creation-updating-denied.yaml | kubectl apply -f - - - assert: - file: enforce-policy-assert.yaml - - apply: - file: resource2.yaml diff --git a/other/resource-creation-updating-denied/.chainsaw-test/enforce-policy-assert.yaml b/other/resource-creation-updating-denied/.chainsaw-test/enforce-policy-assert.yaml deleted file mode 100644 index 20bd3177d..000000000 --- a/other/resource-creation-updating-denied/.chainsaw-test/enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: resource-creation-updating-denied -spec: - validationFailureAction: Enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/resource-creation-updating-denied/.chainsaw-test/policy-assert.yaml b/other/resource-creation-updating-denied/.chainsaw-test/policy-assert.yaml deleted file mode 100644 index ea7ea4981..000000000 --- a/other/resource-creation-updating-denied/.chainsaw-test/policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: resource-creation-updating-denied -spec: - validationFailureAction: Audit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/resource-creation-updating-denied/.chainsaw-test/resource.yaml b/other/resource-creation-updating-denied/.chainsaw-test/resource.yaml deleted file mode 100644 index eea28f548..000000000 --- a/other/resource-creation-updating-denied/.chainsaw-test/resource.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: httpd - name: httpd -spec: - replicas: 1 - selector: - matchLabels: - app: httpd - strategy: {} - template: - metadata: - labels: - app: httpd - spec: - terminationGracePeriodSeconds: 5 - containers: - - image: httpd - name: httpd diff --git a/other/resource-creation-updating-denied/.chainsaw-test/resource2.yaml b/other/resource-creation-updating-denied/.chainsaw-test/resource2.yaml deleted file mode 100644 index 79f4c58cb..000000000 --- a/other/resource-creation-updating-denied/.chainsaw-test/resource2.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: httpd2 - name: httpd2 -spec: - replicas: 1 - selector: - matchLabels: - app: httpd2 - strategy: {} - template: - metadata: - labels: - app: httpd2 - spec: - terminationGracePeriodSeconds: 5 - containers: - - image: httpd - name: httpd diff --git a/other/resource-creation-updating-denied/artifacthub-pkg.yml b/other/resource-creation-updating-denied/artifacthub-pkg.yml deleted file mode 100644 index 19ba46282..000000000 --- a/other/resource-creation-updating-denied/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: resource-creation-updating-denied -version: 1.0.0 -displayName: Deny Creation and Updating of Resources -createdAt: "2024-05-24T12:40:49.000Z" -description: >- - This policy denies the creation and updating of resources specifically for Deployment and Pod kinds during a specified time window. The policy is designed to enhance control over resource modifications during critical periods, ensuring stability and consistency within the Kubernetes environment. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/resource-creation-updating-denied/resource-creation-updating-denied.yaml - ``` -keywords: - - kyverno - - Other -readme: | - This policy denies the creation and updating of resources specifically for Deployment and Pod kinds during a specified time window. The policy is designed to enhance control over resource modifications during critical periods, ensuring stability and consistency within the Kubernetes environment. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "Pod" -digest: 966057f998a12d484b855b15d8574b46f5fd0d94be8dbf0e72bfabefd907d2aa diff --git a/other/resource-creation-updating-denied/resource-creation-updating-denied.yaml b/other/resource-creation-updating-denied/resource-creation-updating-denied.yaml deleted file mode 100644 index 8a92d3957..000000000 --- a/other/resource-creation-updating-denied/resource-creation-updating-denied.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: resource-creation-updating-denied - annotations: - policies.kyverno.io/title: Deny Creation and Updating of Resources - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.1 - policies.kyverno.io/minversion: 1.9.0 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - This policy denies the creation and updating of resources specifically for Deployment - and Pod kinds during a specified time window. The policy is designed to enhance control - over resource modifications during critical periods, ensuring stability and consistency - within the Kubernetes environment. -spec: - validationFailureAction: Audit - background: false - rules: - - name: deny-creation-updating-of-resources - match: - any: - - resources: - kinds: - - Deployment - preconditions: - all: - - key: '{{ time_now_utc().time_to_cron(@).split(@,'' '') | [1].to_number(@) }}' - operator: AnyIn - value: 8-10 - validate: - message: Creating and updating resources is not allowed at this time. - deny: - conditions: - all: - - key: '{{request.operation}}' - operator: AnyIn - value: - - CREATE - - UPDATE diff --git a/other/restart-deployment-on-secret-change/.chainsaw-test/chainsaw-test.yaml b/other/restart-deployment-on-secret-change/.chainsaw-test/chainsaw-test.yaml index 4521561ea..6d0794aa5 100755 --- a/other/restart-deployment-on-secret-change/.chainsaw-test/chainsaw-test.yaml +++ b/other/restart-deployment-on-secret-change/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -29,8 +28,10 @@ spec: file: chainsaw-step-03-apply-1.yaml - name: step-04 try: - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - script: content: | annotation=$(kubectl get deployment -n default busybox -o json | kyverno jp query "spec.template.metadata.annotations.\"ops.corp.com\/triggerrestart\" || 'annotation-404' " | tail -n 1 | cut -d '"' -f 2) diff --git a/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml b/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml index cb101349a..5ac15d5ee 100644 --- a/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml +++ b/other/restart-deployment-on-secret-change/.chainsaw-test/deploy.yaml @@ -14,5 +14,5 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: bb-pod \ No newline at end of file diff --git a/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml index feec6ff3b..d064f3fca 100755 --- a/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-annotations status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-annotations/.chainsaw-test/chainsaw-test.yaml b/other/restrict-annotations/.chainsaw-test/chainsaw-test.yaml index f693735a4..435c6636a 100755 --- a/other/restrict-annotations/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-annotations/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-annotations.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-annotations - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-annotations.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-annotations diff --git a/other/restrict-annotations/.chainsaw-test/pod-bad.yaml b/other/restrict-annotations/.chainsaw-test/pod-bad.yaml index ff2b86396..442100ab4 100644 --- a/other/restrict-annotations/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-annotations/.chainsaw-test/pod-bad.yaml @@ -3,11 +3,11 @@ kind: Pod metadata: annotations: fluxcd.io/foo: bar - name: badpod01 + name: goodpod01 spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,21 +16,21 @@ metadata: bar: foo fluxcd.io/foo: bar foo: bar - name: badpod02 + name: goodpod02 spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod metadata: annotations: bar: foo - fluxcd.io/hello: bar + fluxcd.io/: bar foo: bar - name: badpod03 + name: goodpod02 spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-annotations/.chainsaw-test/pod-good.yaml b/other/restrict-annotations/.chainsaw-test/pod-good.yaml index 315490046..3d976de3a 100644 --- a/other/restrict-annotations/.chainsaw-test/pod-good.yaml +++ b/other/restrict-annotations/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,4 +18,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml index cc35545ab..ec75284c5 100644 --- a/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-annotations/.chainsaw-test/podcontroller-bad.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -37,5 +37,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml b/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml index e867704be..c4e5270ad 100644 --- a/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-annotations/.chainsaw-test/podcontroller-good.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -35,5 +35,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-annotations/artifacthub-pkg.yml b/other/restrict-annotations/artifacthub-pkg.yml index 49170ccf2..2b85c2e0c 100644 --- a/other/restrict-annotations/artifacthub-pkg.yml +++ b/other/restrict-annotations/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod, Annotation" -digest: a5f5b1e2ad8917290af81b3213e67067b0f94a16c4dcb61b80c0da9fc513d896 +digest: a685e92213d17c1848c0374cc959633ce189df2efdfd3d775427d4769ce09efc diff --git a/other/restrict-annotations/restrict-annotations.yaml b/other/restrict-annotations/restrict-annotations.yaml index b300c9997..abd3b374d 100644 --- a/other/restrict-annotations/restrict-annotations.yaml +++ b/other/restrict-annotations/restrict-annotations.yaml @@ -14,7 +14,7 @@ metadata: don't set reserved annotations or to force them to use a newer version of an annotation. pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: block-flux-v1 diff --git a/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 25aa46f5b..6a59fdfc0 100755 --- a/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-automount-sa-token status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-test.yaml b/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-test.yaml index dcfdb651e..287e57f77 100755 --- a/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-automount-sa-token/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-automount-sa-token.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-automount-sa-token - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-automount-sa-token.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-automount-sa-token diff --git a/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml b/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml index a874b157c..3c8653366 100644 --- a/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-automount-sa-token/.chainsaw-test/pod-bad.yaml @@ -6,7 +6,7 @@ spec: automountServiceAccountToken: true containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -17,7 +17,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -26,4 +26,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml b/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml index 3a0f5678d..205b71c38 100644 --- a/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml +++ b/other/restrict-automount-sa-token/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -16,7 +16,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -27,4 +27,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml index 2df7835ea..f734c0042 100644 --- a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-bad.yaml @@ -18,7 +18,7 @@ spec: automountServiceAccountToken: true containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -34,5 +34,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml index 442ba319d..871b09919 100644 --- a/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-automount-sa-token/.chainsaw-test/podcontroller-good.yaml @@ -18,7 +18,7 @@ spec: automountServiceAccountToken: false containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -34,5 +34,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-automount-sa-token/artifacthub-pkg.yml b/other/restrict-automount-sa-token/artifacthub-pkg.yml index c5e3f864a..55b4ff029 100644 --- a/other/restrict-automount-sa-token/artifacthub-pkg.yml +++ b/other/restrict-automount-sa-token/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Sample, EKS Best Practices" kyverno/subject: "Pod,ServiceAccount" -digest: 0ffc85f3f6118bbf7d6f4e8d9aa592c7872f0c496f1ba745767f4baf539bb927 +digest: b87206e937c2e059e0d47e27d1d5ac1857be4f7ec5310a0fc6cc714ee3cfa396 diff --git a/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml b/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml index 299c61084..f1c735bea 100644 --- a/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml +++ b/other/restrict-automount-sa-token/restrict-automount-sa-token.yaml @@ -15,7 +15,7 @@ metadata: be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-automountServiceAccountToken diff --git a/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 77ed2b43c..708cbe548 100755 --- a/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-binding-clusteradmin status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml b/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml index 2d3c69b01..1e96cc6f1 100755 --- a/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-binding-clusteradmin/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-binding-clusteradmin.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-binding-clusteradmin - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-binding-clusteradmin.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: crb-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-binding-clusteradmin diff --git a/other/restrict-binding-clusteradmin/.kyverno-test/kyverno-test.yaml b/other/restrict-binding-clusteradmin/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 8b2670ad9..000000000 --- a/other/restrict-binding-clusteradmin/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-binding-clusteradmin -policies: -- ../restrict-binding-clusteradmin.yaml -resources: -- ../.chainsaw-test/crb-bad.yaml -- ../.chainsaw-test/crb-good.yaml -- ../.chainsaw-test/rb-bad.yaml -- ../.chainsaw-test/rb-good.yaml -results: -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: ClusterRoleBinding - resources: - - badcrb01 - - badcrb02 - result: fail -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: ClusterRoleBinding - resources: - - goodcrb01 - - goodcrb02 - result: pass -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: RoleBinding - resources: - - badrb01 - - badrb02 - result: fail -- policy: restrict-binding-clusteradmin - rule: clusteradmin-bindings - kind: RoleBinding - resources: - - goodrb01 - - goodrb02 - result: pass - diff --git a/other/restrict-binding-clusteradmin/artifacthub-pkg.yml b/other/restrict-binding-clusteradmin/artifacthub-pkg.yml index 69db52032..a17b5c86a 100644 --- a/other/restrict-binding-clusteradmin/artifacthub-pkg.yml +++ b/other/restrict-binding-clusteradmin/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.23" kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 8c59127d811aa4da08a14410048d982903c89ca60675357b94bd5ff80bc404d0 +digest: ae00ae65ccb6684e3899708865190608815348e30b7d5fd76814b87fd1eb1901 diff --git a/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml b/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml index 35c1efeb6..52dbf1d5c 100644 --- a/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml +++ b/other/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml @@ -16,7 +16,7 @@ metadata: policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: clusteradmin-bindings diff --git a/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 3fe7b760e..a49f3c16e 100755 --- a/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-binding-system-groups status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml b/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml index 280e3525d..ae5a19b6b 100755 --- a/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-binding-system-groups/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-binding-system-groups.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-binding-system-groups - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: crb-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-binding-system-groups diff --git a/other/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml b/other/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml index 2186c4010..64f050807 100644 --- a/other/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml +++ b/other/restrict-binding-system-groups/.chainsaw-test/crb-bad.yaml @@ -16,7 +16,7 @@ kind: ClusterRoleBinding metadata: name: badcrb02 subjects: -- kind: Group +- kind: ServiceAccount namespace: foo name: "system:unauthenticated" apiGroup: rbac.authorization.k8s.io diff --git a/other/restrict-binding-system-groups/.kyverno-test/kyverno-test.yaml b/other/restrict-binding-system-groups/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index df411658c..000000000 --- a/other/restrict-binding-system-groups/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-binding-system-groups -policies: -- ../restrict-binding-system-groups.yaml -resources: -- ../.chainsaw-test/crb-bad.yaml -- ../.chainsaw-test/crb-good.yaml -- ../.chainsaw-test/rb-bad.yaml -- ../.chainsaw-test/rb-good.yaml -results: -- policy: restrict-binding-system-groups - rule: restrict-anonymous - kind: ClusterRoleBinding - resources: - - badcrb01 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-unauthenticated - kind: ClusterRoleBinding - resources: - - badcrb02 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-masters - kind: ClusterRoleBinding - resources: - - badcrb03 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-anonymous - kind: RoleBinding - resources: - - badrb01 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-unauthenticated - kind: RoleBinding - resources: - - badrb02 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-masters - kind: RoleBinding - resources: - - badrb03 - result: fail -- policy: restrict-binding-system-groups - rule: restrict-anonymous - kind: ClusterRoleBinding - resources: - - goodcrb01 - - goodcrb02 - - goodcrb03 - result: pass -- policy: restrict-binding-system-groups - rule: restrict-unauthenticated - kind: ClusterRoleBinding - resources: - - goodcrb01 - - goodcrb02 - - goodcrb03 - result: pass -- policy: restrict-binding-system-groups - rule: restrict-masters - kind: ClusterRoleBinding - resources: - - goodcrb01 - - goodcrb02 - - goodcrb03 - result: pass -- policy: restrict-binding-system-groups - rule: restrict-anonymous - kind: RoleBinding - resources: - - goodrb01 - - goodrb02 - - goodrb03 - result: pass -- policy: restrict-binding-system-groups - rule: restrict-unauthenticated - kind: RoleBinding - resources: - - goodrb01 - - goodrb02 - - goodrb03 - result: pass -- policy: restrict-binding-system-groups - rule: restrict-masters - kind: RoleBinding - resources: - - goodrb01 - - goodrb02 - - goodrb03 - result: pass diff --git a/other/restrict-binding-system-groups/artifacthub-pkg.yml b/other/restrict-binding-system-groups/artifacthub-pkg.yml index 31213c762..1e7e5eacb 100644 --- a/other/restrict-binding-system-groups/artifacthub-pkg.yml +++ b/other/restrict-binding-system-groups/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 68386af8e018f4f0bd0fe986378651e3ea4c142b426b39c010e038df85fb7ef2 +digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d diff --git a/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml index c4de8e94f..6c81a334b 100644 --- a/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml +++ b/other/restrict-binding-system-groups/restrict-binding-system-groups.yaml @@ -16,7 +16,7 @@ metadata: for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: restrict-anonymous diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100644 index a65f0b176..000000000 --- a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-clusterrole-csr -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index 794763357..000000000 --- a/other/restrict-clusterrole-csr/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-clusterrole-csr -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-clusterrole-csr.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-clusterrole-csr - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: non-violating-clusterrole.yaml - - apply: - expect: - - check: - ($error != null): true - file: violating-clusterrole.yaml diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml deleted file mode 100644 index 65d495b73..000000000 --- a/other/restrict-clusterrole-csr/.chainsaw-test/non-violating-clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: non-violating-clusterrole -rules: -- apiGroups: [""] - resources: ["certificatesigningrequests/approval"] - verbs: ["get", "list"] -- apiGroups: [""] - resources: ["signers"] - verbs: ["get", "list"] diff --git a/other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml b/other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml deleted file mode 100644 index 21ab8b7e9..000000000 --- a/other/restrict-clusterrole-csr/.chainsaw-test/violating-clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: violating-clusterrole -rules: -- apiGroups: [""] - resources: ["certificatesigningrequests/approval"] - verbs: ["update", "approve"] -- apiGroups: [""] - resources: ["signers"] - verbs: ["approve"] diff --git a/other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml b/other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 80f06220e..000000000 --- a/other/restrict-clusterrole-csr/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-clusterrole-csr -policies: -- ../restrict-clusterrole-csr.yaml -resources: -- resource.yaml -results: -- kind: ClusterRole - policy: restrict-clusterrole-csr - resources: - - violating-clusterrole - result: fail - rule: certificatesigningrequests-update-prevention -- kind: ClusterRole - policy: restrict-clusterrole-csr - resources: - - violating-clusterrole - result: fail - rule: signers-approve-prevention -- kind: ClusterRole - policy: restrict-clusterrole-csr - resources: - - non-violating-clusterrole - result: pass - rule: certificatesigningrequests-update-prevention -- kind: ClusterRole - policy: restrict-clusterrole-csr - resources: - - non-violating-clusterrole - result: pass - rule: signers-approve-prevention diff --git a/other/restrict-clusterrole-csr/.kyverno-test/resource.yaml b/other/restrict-clusterrole-csr/.kyverno-test/resource.yaml deleted file mode 100644 index d7f755d18..000000000 --- a/other/restrict-clusterrole-csr/.kyverno-test/resource.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: violating-clusterrole -rules: -- apiGroups: [""] - resources: ["certificatesigningrequests/approval"] - verbs: ["update", "approve"] -- apiGroups: [""] - resources: ["signers"] - verbs: ["approve"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: non-violating-clusterrole -rules: -- apiGroups: [""] - resources: ["certificatesigningrequests/approval"] - verbs: ["get", "list"] -- apiGroups: [""] - resources: ["signers"] - verbs: ["get", "list"] - diff --git a/other/restrict-clusterrole-csr/artifacthub-pkg.yaml b/other/restrict-clusterrole-csr/artifacthub-pkg.yaml deleted file mode 100644 index 1dfb22271..000000000 --- a/other/restrict-clusterrole-csr/artifacthub-pkg.yaml +++ /dev/null @@ -1,21 +0,0 @@ -name: restrict-clusterrole-csr -version: 1.0.0 -displayName: Restrict Clusterrole for Certificate Signing Requests (CSR's) -createdAt: "2024-07-17T20:30:05.000Z" -description: >- - ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml - ``` -keywords: -- kyverno -- Other -readme: | - ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/subject: "ClusterRole" -digest: c36b162b694005bbdf84f61f70c86b7ddbaf2dd9d428023c132570df7fd18854 diff --git a/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml b/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml deleted file mode 100644 index d0686c63b..000000000 --- a/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-clusterrole-csr - annotations: - policies.kyverno.io/title: Restrict Cluster Role CSR - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: ClusterRole - kyverno.io/kyverno-version: 1.11.5 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/description: >- - ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized. -spec: - validationFailureAction: Audit - background: true - rules: - - name: certificatesigningrequests-update-prevention - match: - any: - - resources: - kinds: - - ClusterRole - validate: - message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval." - foreach: - - list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]" - deny: - conditions: - any: - - key: ["update", "patch"] - operator: AnyIn - value: "{{ element.verbs[] }}" - - key: "{{ contains(element.verbs[], '*') }}" - operator: Equals - value: true - - name: signers-approve-prevention - match: - any: - - resources: - kinds: - - ClusterRole - validate: - message: "Use of verbs `approve` are forbidden for signers." - foreach: - - list: "request.object.rules[?resources.contains(@,'signers')]" - deny: - conditions: - any: - - key: ["approve"] - operator: AnyIn - value: "{{ element.verbs[] }}" - - key: "{{ contains(element.verbs[], '*') }}" - operator: Equals - value: true diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100644 index a156276bd..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-clusterrole-mutating-validating-admission-webhooks -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index c834989ea..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-clusterrole-mutating-validating-admission-webhooks -spec: - steps: - - name: step-01 - try: - - apply: - file: ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-clusterrole-mutating-validating-admission-webhooks - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: non-violating-clusterrole.yaml - - apply: - expect: - - check: - ($error != null): true - file: violating-clusterrole.yaml diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml deleted file mode 100644 index 442ff536e..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/non-violating-clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: non-violating-clusterrole -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["get", "list", "watch"] diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml deleted file mode 100644 index 42991b97a..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.chainsaw-test/violating-clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: violating-clusterrole -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["create", "update", "patch"] diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 9049cfb16..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-clusterrole-mutating-validating-admission-webhooks -policies: -- ../restrict-clusterrole-mutating-validating-admission-webhooks.yaml -resources: -- resource.yaml -results: -- kind: ClusterRole - policy: restrict-clusterrole-mutating-validating-admission-webhooks - resources: - - non-violating-clusterrole - result: pass - rule: restrict-clusterrole -- kind: ClusterRole - policy: restrict-clusterrole-mutating-validating-admission-webhooks - resources: - - violating-clusterrole - result: fail - rule: restrict-clusterrole diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml deleted file mode 100644 index 07fc9bfd9..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/.kyverno-test/resource.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: non-violating-clusterrole -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: violating-clusterrole -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["create", "update", "patch"] - diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml deleted file mode 100644 index 0f21b043c..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/artifacthub-pkg.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: restrict-clusterrole-mutating-validating-admission-webhooks -version: 1.0.0 -displayName: Restrict Clusterrole for Mutating and Validating Admission Webhooks -createdAt: "2024-05-19T20:30:05.000Z" -description: >- - ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml - ``` -keywords: -- kyverno -- Other -readme: | - ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/subject: "ClusterRole" -digest: 3ebafd2ea6b0db34271461525d00cb97805c3ba8a97e928db056bb6e65dbf01b diff --git a/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml b/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml deleted file mode 100644 index f30b96e79..000000000 --- a/other/restrict-clusterrole-mutating-validating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-clusterrole-mutating-validating-admission-webhooks - annotations: - policies.kyverno.io/title: Restrict Clusterrole for Mutating and Validating Admission Webhooks - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.10.7 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: ClusterRole - policies.kyverno.io/description: >- - ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks. -spec: - validationFailureAction: Audit - background: true - rules: - - name: restrict-clusterrole - match: - any: - - resources: - kinds: - - ClusterRole - validate: - message: "Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks" - foreach: - - list: "request.object.rules[]" - deny: - conditions: - all: - - key: "{{ element.apiGroups || '' }}" - operator: AnyIn - value: - - admissionregistration.k8s.io - - key: "{{ element.resources || '' }}" - operator: AnyIn - value: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - any: - - key: "{{ element.verbs }}" - operator: AnyIn - value: - - create - - update - - patch - - key: "{{ contains(element.verbs[], '*') }}" - operator: Equals - value: true - diff --git a/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml index fc7cb1b91..fc59b9caa 100755 --- a/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-clusterrole-nodesproxy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml b/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml index f82669e96..410de124c 100755 --- a/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-clusterrole-nodesproxy/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-clusterrole-nodesproxy.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-clusterrole-nodesproxy - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-clusterrole-nodesproxy.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: cr-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-clusterrole-nodesproxy diff --git a/other/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml b/other/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 9a119fe0d..000000000 --- a/other/restrict-clusterrole-nodesproxy/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-clusterrole-nodesproxy -policies: -- ../restrict-clusterrole-nodesproxy.yaml -resources: -- ../.chainsaw-test/cr-bad.yaml -- ../.chainsaw-test/cr-good.yaml -results: -- policy: restrict-clusterrole-nodesproxy - rule: clusterrole-nodesproxy - kind: ClusterRole - resources: - - badcr01 - - badcr02 - result: fail -- policy: restrict-clusterrole-nodesproxy - rule: clusterrole-nodesproxy - kind: ClusterRole - resources: - - goodcr01 - - goodcr02 - result: pass - diff --git a/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml b/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml index aae076899..7e37af013 100644 --- a/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml +++ b/other/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml @@ -17,6 +17,6 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Sample" - kyverno/kubernetesVersion: "1.27" + kyverno/kubernetesVersion: "1.23" kyverno/subject: "ClusterRole, RBAC" -digest: 18ba0b2ea2556ca0042bcb0c2f32061d95e81792e07ae86e81dd39bd810a920e +digest: e1c5ea5cb9a1834459d8c5de5b52ea487e3a4b716c110f3a64f00d9c72a65c68 diff --git a/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml index 2a2e5dd85..b56ee1160 100644 --- a/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml +++ b/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml @@ -7,9 +7,9 @@ metadata: policies.kyverno.io/category: Sample policies.kyverno.io/severity: medium policies.kyverno.io/subject: ClusterRole, RBAC - kyverno.io/kyverno-version: 1.11.4 + kyverno.io/kyverno-version: 1.7.0 policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kubernetes-version: "1.27" + kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass @@ -18,7 +18,7 @@ metadata: for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: clusterrole-nodesproxy @@ -31,10 +31,7 @@ spec: message: "A ClusterRole containing the nodes/proxy resource is not allowed." deny: conditions: - all: + any: - key: nodes/proxy operator: AnyIn - value: "{{ request.object.rules[].resources[] }}" - - key: "" - operator: AnyIn - value: "{{ request.object.rules[].apiGroups[] }}" \ No newline at end of file + value: "{{ request.object.rules[].resources[] }}" \ No newline at end of file diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 01387a8b1..422e25cb6 100755 --- a/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-controlplane-scheduling status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml index 89ead27ee..970ae148c 100755 --- a/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-controlplane-scheduling/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-controlplane-scheduling.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-controlplane-scheduling - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-controlplane-scheduling.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-controlplane-scheduling diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml index fe996274c..40f952470 100644 --- a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-bad.yaml @@ -14,7 +14,7 @@ spec: effect: "NoSchedule" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -33,4 +33,4 @@ spec: effect: "NoExecute" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml index 977e70b40..7b29cfe71 100644 --- a/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml +++ b/other/restrict-controlplane-scheduling/.chainsaw-test/pod-good.yaml @@ -11,7 +11,7 @@ spec: effect: "NoSchedule" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -30,4 +30,4 @@ spec: effect: "NoExecute" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml index e574038a2..1409e1aa5 100644 --- a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-bad.yaml @@ -21,7 +21,7 @@ spec: effect: "NoSchedule" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -43,4 +43,4 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml index 070b38777..e0baf251c 100644 --- a/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-controlplane-scheduling/.chainsaw-test/podcontroller-good.yaml @@ -22,7 +22,7 @@ spec: effect: "NoExecute" containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -45,4 +45,4 @@ spec: restartPolicy: OnFailure containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-controlplane-scheduling/artifacthub-pkg.yml b/other/restrict-controlplane-scheduling/artifacthub-pkg.yml index 9dc6dfb4e..187e8817b 100644 --- a/other/restrict-controlplane-scheduling/artifacthub-pkg.yml +++ b/other/restrict-controlplane-scheduling/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: b3561eaa50e32c43a6609d87e43d4a04e44184461a4b6868783cfa8d08191893 +digest: 85670ece069aa1b3296a294a7137ca87d1cc0636f9f78611c79a2b84d8c4aaeb diff --git a/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml b/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml index 438d48709..210710e9b 100644 --- a/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml +++ b/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml @@ -14,7 +14,7 @@ metadata: in a Pod spec which allows running on control plane nodes with the taint key `node-role.kubernetes.io/master`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: restrict-controlplane-scheduling-master diff --git a/other/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml b/other/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml index 139e59735..f7738d63b 100755 --- a/other/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-deprecated-registry/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml b/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml index 1a09f7d33..7b53955c7 100644 --- a/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-deprecated-registry/.chainsaw-test/pod-bad.yaml @@ -19,7 +19,7 @@ spec: image: foo.gcr.io/busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 image: docker.io/busybox:1.35 --- @@ -30,7 +30,7 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-init-again image: foo.gcr.io/busybox:1.35 containers: @@ -48,7 +48,7 @@ spec: - name: busybox-init image: docker.io/busybox:1.35 - name: busybox-init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox image: registry.k8s.io/busybox:1.35 diff --git a/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml b/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml index 228080b72..947410f82 100644 --- a/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml +++ b/other/restrict-deprecated-registry/.chainsaw-test/pod-good.yaml @@ -6,7 +6,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -21,6 +21,6 @@ spec: image: registry.k8s.io/busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 image: docker.io/busybox:1.35 \ No newline at end of file diff --git a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml index 7eb4f05fa..0df6e26f9 100644 --- a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-bad.yaml @@ -43,6 +43,6 @@ spec: image: registry.k8s.io/busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 image: docker.io/busybox:1.35 \ No newline at end of file diff --git a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml index 9a5842267..c837017b9 100644 --- a/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-deprecated-registry/.chainsaw-test/podcontroller-good.yaml @@ -20,7 +20,7 @@ spec: image: registry.k8s.io/busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 image: docker.io/busybox:1.35 --- @@ -43,6 +43,6 @@ spec: image: registry.k8s.io/busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 image: docker.io/busybox:1.35 \ No newline at end of file diff --git a/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml b/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml index 5293df1eb..9481b23f2 100644 --- a/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml +++ b/other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-deprecated-registry status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/restrict-edit-for-endpoints/artifacthub-pkg.yml b/other/restrict-edit-for-endpoints/artifacthub-pkg.yml index 653f40cad..f8d8ad381 100644 --- a/other/restrict-edit-for-endpoints/artifacthub-pkg.yml +++ b/other/restrict-edit-for-endpoints/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "ClusterRole" -digest: 577d69ec993881fbd86f972fa53db4b0e6c2e67e63d844468305a840f6aaf3c2 +digest: dbcccf542d23629de3cd4b51ebf14220caa3150a30371c8fba2b7f18bc64b83e diff --git a/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml b/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml index 20c171212..16ccbacb1 100644 --- a/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml +++ b/other/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml @@ -18,7 +18,7 @@ metadata: to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have the edit permission of Endpoints. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: system-aggregate-to-edit-check diff --git a/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 0d89a1527..a79fd3397 100755 --- a/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-escalation-verbs-roles status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml b/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml index 040cb3e8d..fab59eb1e 100755 --- a/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-escalation-verbs-roles/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-escalation-verbs-roles.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-escalation-verbs-roles - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-escalation-verbs-roles.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: role-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-escalation-verbs-roles diff --git a/other/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml b/other/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml index 5832aee34..be57eb271 100644 --- a/other/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml +++ b/other/restrict-escalation-verbs-roles/.chainsaw-test/cr-bad.yaml @@ -41,14 +41,4 @@ rules: verbs: ["get", "watch", "list"] - apiGroups: ["batches", "rbac.authorization.k8s.io"] resources: ["clusterroles"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: badcr04 -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] - + verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml b/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml index 2df0119be..9c3ce8480 100644 --- a/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml +++ b/other/restrict-escalation-verbs-roles/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Role, ClusterRole, RBAC" -digest: bdcf97fcc1ed01e6c49548591ed6b9035da04d20ec8decf4735fdca01f47b04a +digest: b4e370bcf146a9d1052f80bd63f03f87147216ffd601cfeaf17106db883a9095 diff --git a/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml index cf8c12364..61870d1e7 100644 --- a/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml +++ b/other/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml @@ -15,7 +15,7 @@ metadata: privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: escalate diff --git a/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 6a1a8d9b8..b15ee6b98 100755 --- a/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-ingress-classes/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-ingress-classes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml b/other/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml index d46b50e30..131ff04ff 100755 --- a/other/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-ingress-classes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-ingress-classes.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-ingress-classes - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-ingress-classes.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-ingress-classes diff --git a/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml b/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml index 2a1cfd92e..35c7dd6d1 100644 --- a/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml +++ b/other/restrict-ingress-classes/.chainsaw-test/ingress-bad.yaml @@ -7,7 +7,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -27,7 +27,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix @@ -35,4 +35,4 @@ spec: service: name: test port: - number: 80 + number: 80 \ No newline at end of file diff --git a/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml index b12449d19..243a785be 100644 --- a/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml +++ b/other/restrict-ingress-classes/.chainsaw-test/ingress-good.yaml @@ -8,7 +8,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -28,7 +28,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-classes/artifacthub-pkg.yml b/other/restrict-ingress-classes/artifacthub-pkg.yml index b57417fed..0e03a09f9 100644 --- a/other/restrict-ingress-classes/artifacthub-pkg.yml +++ b/other/restrict-ingress-classes/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Ingress" -digest: d999fe6b4a48cd622280388cda32bdf3ec60ca4badc4ae1d2e858446d5cecf58 +digest: e6c966c4fd384ec46ee4f9c51101839d2b2d889a17ad232409e6c13bc9321bf4 diff --git a/other/restrict-ingress-classes/restrict-ingress-classes.yaml b/other/restrict-ingress-classes/restrict-ingress-classes.yaml index a152f1f35..994eb64ee 100644 --- a/other/restrict-ingress-classes/restrict-ingress-classes.yaml +++ b/other/restrict-ingress-classes/restrict-ingress-classes.yaml @@ -16,7 +16,7 @@ metadata: annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass resource. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-ingress diff --git a/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 649bb41f9..85c3af1c1 100755 --- a/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-ingress-defaultbackend status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml b/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml index b94978172..00af8da11 100755 --- a/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-ingress-defaultbackend/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-ingress-defaultbackend.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-ingress-defaultbackend - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-ingress-defaultbackend.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-ingress-defaultbackend diff --git a/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml index bf3c9b599..09e9a251f 100644 --- a/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml +++ b/other/restrict-ingress-defaultbackend/.chainsaw-test/ingress-good.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml b/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml index abbe59806..eda2c16c7 100644 --- a/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml +++ b/other/restrict-ingress-defaultbackend/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Ingress" -digest: c73c675aaf385c335de92d0002abbc06be0249ebd22fe855b19c8c03e5457402 +digest: 9e88f8cef640608f92540545a086285ac1a2944e6cf41f84f2d8ffb6f2e5c315 diff --git a/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml b/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml index 2ef0136b8..f40091701 100644 --- a/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml +++ b/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml @@ -18,7 +18,7 @@ metadata: want users to use explicit hosts, they should not be able to overwrite the global default backend service. This policy prohibits the use of the defaultBackend field. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: restrict-ingress-defaultbackend diff --git a/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 0daa114c0..2b9230dd4 100755 --- a/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: unique-ingress-host status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-ingress-host/.chainsaw-test/chainsaw-test.yaml b/other/restrict-ingress-host/.chainsaw-test/chainsaw-test.yaml index cf59321c8..9b84fae1f 100755 --- a/other/restrict-ingress-host/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ingress.yaml - - apply: - file: ../restrict-ingress-host.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: unique-ingress-host - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-ingress-host.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -38,3 +30,10 @@ spec: file: ingress-updates-bad.yaml - apply: file: ingress-updates-good.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: unique-ingress-host diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml index 88422f2fe..d0c74aa1d 100644 --- a/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/ingress-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: foo - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: foo-bar - http: + https: paths: - path: /testpath pathType: Prefix @@ -32,7 +32,7 @@ spec: port: number: 80 - host: bar-bar - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml index d9927cb4c..25c458053 100644 --- a/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/ingress-good.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: endpoint02 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml index 84d7d6232..b723a2f7e 100644 --- a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: endpoint02 - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -32,7 +32,7 @@ spec: path: / pathType: Prefix - host: endpoint02 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml index 5394f16ed..08a001059 100644 --- a/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/ingress-updates-good.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: endpoint03 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-host/.chainsaw-test/ingress.yaml b/other/restrict-ingress-host/.chainsaw-test/ingress.yaml index cea1f16d4..d9fe68573 100644 --- a/other/restrict-ingress-host/.chainsaw-test/ingress.yaml +++ b/other/restrict-ingress-host/.chainsaw-test/ingress.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: foo - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: bar - http: + https: paths: - backend: service: diff --git a/other/restrict-ingress-host/artifacthub-pkg.yml b/other/restrict-ingress-host/artifacthub-pkg.yml index cfc0adaa2..137283b00 100644 --- a/other/restrict-ingress-host/artifacthub-pkg.yml +++ b/other/restrict-ingress-host/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Ingress" -digest: ad7c3575de345ee12631b16d79ec0db8798b2260a81a01180322f99201940dc7 +digest: 626994bf34517beb56b95c46ae5055dabd3173ab94b391c2806a76015b1f46fd diff --git a/other/restrict-ingress-host/restrict-ingress-host.yaml b/other/restrict-ingress-host/restrict-ingress-host.yaml index f931887aa..48836b6f6 100644 --- a/other/restrict-ingress-host/restrict-ingress-host.yaml +++ b/other/restrict-ingress-host/restrict-ingress-host.yaml @@ -14,7 +14,7 @@ metadata: This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-single-host-create diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml index c831fd9a5..f85e022ab 100755 --- a/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-ingress-wildcard status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml index 9f9a5c7fe..131312b4d 100755 --- a/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-ingress-wildcard/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-ingress-wildcard.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-ingress-wildcard - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-ingress-wildcard.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-ingress-wildcard diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml index 6fcfc2e11..bfa869489 100644 --- a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml +++ b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: "*.foo.bar" - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: foo-bar - http: + https: paths: - path: /testpath pathType: Prefix @@ -31,8 +31,8 @@ spec: name: test port: number: 80 - - host: "*.example.com" - http: + - host: "foo.*.com" + https: paths: - path: /testpath pathType: Prefix @@ -49,7 +49,7 @@ metadata: spec: rules: - host: "*.bar" - http: + https: paths: - path: /testpath pathType: Prefix @@ -59,7 +59,7 @@ spec: port: number: 80 - host: foo-bar - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml index ed761a800..f67cf1494 100644 --- a/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml +++ b/other/restrict-ingress-wildcard/.chainsaw-test/ingress-good.yaml @@ -5,7 +5,7 @@ metadata: spec: rules: - host: endpoint01 - http: + https: paths: - backend: service: @@ -22,7 +22,7 @@ metadata: spec: rules: - host: endpoint02 - http: + https: paths: - path: /testpath pathType: Prefix @@ -32,7 +32,7 @@ spec: port: number: 80 - host: endpoint01 - http: + https: paths: - path: /testpath pathType: Prefix diff --git a/other/restrict-ingress-wildcard/artifacthub-pkg.yml b/other/restrict-ingress-wildcard/artifacthub-pkg.yml index f569184b0..9998c48fb 100644 --- a/other/restrict-ingress-wildcard/artifacthub-pkg.yml +++ b/other/restrict-ingress-wildcard/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Ingress" -digest: 25278c05b7c2e54ab33d137d83540d5d4dac23b1a85083d88609c3b1c3197992 +digest: d47ca7c1ce633eef4936ded9deb782cae7b9d7646e3435122826061976aee4ee diff --git a/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml b/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml index bcc76c67a..d046029bc 100644 --- a/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml +++ b/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml @@ -17,7 +17,7 @@ metadata: policy enforces that any Ingress host does not contain a wildcard character. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: block-ingress-wildcard diff --git a/other/restrict-jobs/.chainsaw-test/chainsaw-test.yaml b/other/restrict-jobs/.chainsaw-test/chainsaw-test.yaml index 0537560b5..1e402428f 100755 --- a/other/restrict-jobs/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-jobs/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/restrict-jobs/.chainsaw-test/cronjob.yaml b/other/restrict-jobs/.chainsaw-test/cronjob.yaml new file mode 100644 index 000000000..52ae70aa5 --- /dev/null +++ b/other/restrict-jobs/.chainsaw-test/cronjob.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml b/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml index 8118a2876..cc0f70f29 100644 --- a/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml +++ b/other/restrict-jobs/.chainsaw-test/cronjobs-good.yaml @@ -10,6 +10,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-jobs/.chainsaw-test/job.yaml b/other/restrict-jobs/.chainsaw-test/job.yaml new file mode 100644 index 000000000..4edf767e2 --- /dev/null +++ b/other/restrict-jobs/.chainsaw-test/job.yaml @@ -0,0 +1,13 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: pi +spec: + template: + spec: + containers: + - name: pi + image: perl + command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] + restartPolicy: Never + backoffLimit: 4 \ No newline at end of file diff --git a/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml b/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml index ef62a007b..700346ed5 100644 --- a/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml +++ b/other/restrict-jobs/.chainsaw-test/jobs-bad.yaml @@ -7,6 +7,6 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 command: ["sleep", "3600"] restartPolicy: Never \ No newline at end of file diff --git a/other/restrict-jobs/.kyverno-test/kyverno-test.yaml b/other/restrict-jobs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c2e9af736..000000000 --- a/other/restrict-jobs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-jobs -policies: -- ../restrict-jobs.yaml -resources: -- resource.yaml -results: -- policy: restrict-jobs - rule: restrict-job-from-cronjob - kind: Job - resources: - - badjob - result: fail -- policy: restrict-jobs - rule: restrict-job-from-cronjob - kind: Job - resources: - - goodjob - result: skip diff --git a/other/restrict-jobs/.kyverno-test/resource.yaml b/other/restrict-jobs/.kyverno-test/resource.yaml deleted file mode 100644 index 6e48e4443..000000000 --- a/other/restrict-jobs/.kyverno-test/resource.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: badjob -spec: - template: - spec: - containers: - - name: busybox - image: busybox:1.35 - command: ["sleep", "3600"] - restartPolicy: Never ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: goodjob - ownerReferences: - - apiVersion: batch/v1 - blockOwnerDeletion: true - controller: true - kind: CronJob - name: goodcronjob01 - uid: a554d6b8-8b0a-44da-a9d9-d76a1f85b320 -spec: - template: - spec: - containers: - - name: busybox - image: busybox:1.35 - command: ["sleep", "3600"] - restartPolicy: Never \ No newline at end of file diff --git a/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml index e88dc49d3..a487741b5 100755 --- a/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-loadbalancer/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: no-loadbalancer-service status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml b/other/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml index 0c49d059a..c01896a19 100755 --- a/other/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-loadbalancer/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-loadbalancer.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: no-loadbalancer-service - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-loadbalancer.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: svc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: no-loadbalancer-service diff --git a/other/restrict-loadbalancer/artifacthub-pkg.yml b/other/restrict-loadbalancer/artifacthub-pkg.yml index 5bc4ad5db..e2559fce9 100644 --- a/other/restrict-loadbalancer/artifacthub-pkg.yml +++ b/other/restrict-loadbalancer/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Service" -digest: 68ddfd3d14a9764d7cc6b8aedfed75b1911b1cfe922ba45e3bbd4cd1efcf37b6 +digest: dfa26ce07b5ab3a4f5d0106b450a92c866f572478a91491b8c6f18cd523184e0 diff --git a/other/restrict-loadbalancer/restrict-loadbalancer.yaml b/other/restrict-loadbalancer/restrict-loadbalancer.yaml index 08786542c..313c774c6 100644 --- a/other/restrict-loadbalancer/restrict-loadbalancer.yaml +++ b/other/restrict-loadbalancer/restrict-loadbalancer.yaml @@ -15,7 +15,7 @@ metadata: overrun established budgets and security practices set by the organization. This policy restricts use of the Service type LoadBalancer. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: no-LoadBalancer diff --git a/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml index e11e07dd3..08739c249 100755 --- a/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-networkpolicy-empty-podselector status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml b/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml index e2173e309..f68e17db1 100755 --- a/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-networkpolicy-empty-podselector/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-networkpolicy-empty-podselector.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-networkpolicy-empty-podselector - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-networkpolicy-empty-podselector.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: netpol-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-networkpolicy-empty-podselector diff --git a/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml b/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml index 6bbd9179b..c473a8d9d 100644 --- a/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml +++ b/other/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "NetworkPolicy" -digest: 38fcf833843a204155ecd0cba6cf7118a44a168d0269fe24e3faff349fbe8a11 +digest: d0ba9667eb86aaf3c808d6db56254a4556aaa19e2eb3824886a97a216a5e53b8 diff --git a/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml b/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml index e3b7e3d5d..5b02ab52b 100644 --- a/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml +++ b/other/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml @@ -13,7 +13,7 @@ metadata: more closely control the necessary traffic flows. This policy requires that all NetworkPolicies other than that of `default-deny` not use an empty podSelector. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: empty-podselector diff --git a/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 0108affce..8aac3db00 100755 --- a/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-node-affinity/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-node-affinity status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml b/other/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml index e83f4a764..4b294dc6c 100755 --- a/other/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-node-affinity/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-node-affinity.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-node-affinity - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-node-affinity.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-node-affinity diff --git a/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml b/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml index aa7d1512d..d2622ecd3 100644 --- a/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-node-affinity/.chainsaw-test/pod-bad.yaml @@ -15,7 +15,7 @@ spec: - bar containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -43,4 +43,4 @@ spec: topologyKey: topology.kubernetes.io/zone containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml b/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml index 1d308f3ec..3df39edbf 100644 --- a/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml +++ b/other/restrict-node-affinity/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,16 +14,14 @@ metadata: spec: affinity: podAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: bar - operator: In - values: - - bar - topologyKey: topology.kubernetes.io/zone + prefferedDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bar + operator: In + values: + - bar + topologyKey: topology.kubernetes.io/zone podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 @@ -37,4 +35,4 @@ spec: topologyKey: topology.kubernetes.io/zone containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml index 6740a7267..101b7dce3 100644 --- a/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-node-affinity/.chainsaw-test/podcontroller-bad.yaml @@ -27,7 +27,7 @@ spec: - bar containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -51,5 +51,5 @@ spec: - bar containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml b/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml index bd3d0113a..91a6a6330 100644 --- a/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-node-affinity/.chainsaw-test/podcontroller-good.yaml @@ -17,19 +17,17 @@ spec: spec: affinity: podAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: bar - operator: In - values: - - bar - topologyKey: topology.kubernetes.io/zone + prefferedDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bar + operator: In + values: + - bar + topologyKey: topology.kubernetes.io/zone containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -43,5 +41,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-node-affinity/artifacthub-pkg.yml b/other/restrict-node-affinity/artifacthub-pkg.yml index c52eb901b..f5e03f2f6 100644 --- a/other/restrict-node-affinity/artifacthub-pkg.yml +++ b/other/restrict-node-affinity/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: f501d3f3b0391ae2dc698b28eacd8e46dbdf5af9278a688127bfb18678f0532c +digest: 1bc527f2c286a2ec07141d43e26857ccb4ce6996b291b3bb1903469b113fcfde diff --git a/other/restrict-node-affinity/restrict-node-affinity.yaml b/other/restrict-node-affinity/restrict-node-affinity.yaml index 18c2e0f03..b6b7a0fa7 100644 --- a/other/restrict-node-affinity/restrict-node-affinity.yaml +++ b/other/restrict-node-affinity/restrict-node-affinity.yaml @@ -17,7 +17,7 @@ metadata: is not used in a Pod spec. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-nodeaffinity match: diff --git a/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml b/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml index b0c9f434e..2cd13f227 100755 --- a/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-node-label-changes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -17,16 +16,16 @@ spec: - script: content: | kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-02 try: - apply: file: ../restrict-node-label-changes.yaml - assert: file: policy-ready.yaml - - sleep: - duration: 5s - name: step-03 try: - script: diff --git a/other/restrict-node-label-changes/artifacthub-pkg.yml b/other/restrict-node-label-changes/artifacthub-pkg.yml index 76b6cdb5d..56618f392 100644 --- a/other/restrict-node-label-changes/artifacthub-pkg.yml +++ b/other/restrict-node-label-changes/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Node, Label" -digest: 50b9b20c822339142265cda589f17f9f6383f451b58f26e833eaacad76476c26 +digest: 5f85ca279377a987568daa4353191e8e843ed6e708ffc9a4163e0fd95ec27894 diff --git a/other/restrict-node-label-changes/restrict-node-label-changes.yaml b/other/restrict-node-label-changes/restrict-node-label-changes.yaml index c395ddef8..f0f2b2655 100644 --- a/other/restrict-node-label-changes/restrict-node-label-changes.yaml +++ b/other/restrict-node-label-changes/restrict-node-label-changes.yaml @@ -16,7 +16,7 @@ metadata: requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: prevent-label-value-changes @@ -26,7 +26,6 @@ spec: kinds: - Node validate: - allowExistingViolations: false message: "Modifying the `foo` label on a Node is not allowed." deny: conditions: @@ -52,9 +51,8 @@ spec: operator: Equals value: "?*" validate: - allowExistingViolations: false message: "Removing the `foo` label on a Node is not allowed." pattern: metadata: labels: - foo: "*" + foo: "*" \ No newline at end of file diff --git a/other/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml b/other/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml index 7174c36d8..20ce638c2 100755 --- a/other/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-node-label-creation/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -11,8 +10,10 @@ spec: - script: content: | kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' - | sed 's/\[Node,\*,\*\]//g' - | kubectl apply -f - - - sleep: - duration: 5s + - command: + args: + - "5" + entrypoint: sleep - name: step-02 try: - apply: diff --git a/other/restrict-node-label-creation/artifacthub-pkg.yml b/other/restrict-node-label-creation/artifacthub-pkg.yml index 1e328653a..ed5cc29b6 100644 --- a/other/restrict-node-label-creation/artifacthub-pkg.yml +++ b/other/restrict-node-label-creation/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Node, Label" -digest: 18bb96511f438e7d5267490f448768be97012a7b4943d51b190e538692cac76b +digest: ce639e3a55535dabae7b3db6afcdbab9937bdded689547396ea64a52157b026c diff --git a/other/restrict-node-label-creation/restrict-node-label-creation.yaml b/other/restrict-node-label-creation/restrict-node-label-creation.yaml index c1490f602..e89c7dda8 100644 --- a/other/restrict-node-label-creation/restrict-node-label-creation.yaml +++ b/other/restrict-node-label-creation/restrict-node-label-creation.yaml @@ -17,7 +17,7 @@ metadata: requires, at minimum, one of the following versions of Kubernetes: v1.18.18, v1.19.10, v1.20.6, or v1.21.0. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: prevent-label-set diff --git a/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml index fdf0703cc..b8c04eaa7 100755 --- a/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-node-selection/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-node-selection status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-node-selection/.chainsaw-test/chainsaw-test.yaml b/other/restrict-node-selection/.chainsaw-test/chainsaw-test.yaml index c65dd6a38..b45a17fac 100755 --- a/other/restrict-node-selection/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-node-selection/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-node-selection.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-node-selection - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-node-selection.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-node-selection diff --git a/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml b/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml index a06a33408..29c1bb319 100644 --- a/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-node-selection/.chainsaw-test/pod-bad.yaml @@ -4,10 +4,11 @@ metadata: name: badpod01 spec: nodeSelector: - foo: bar + matchLabels: + foo: bar containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -17,4 +18,4 @@ spec: nodeName: kind-control-plane containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-node-selection/.chainsaw-test/pod-good.yaml b/other/restrict-node-selection/.chainsaw-test/pod-good.yaml index 1db6a8b46..88a6148a7 100644 --- a/other/restrict-node-selection/.chainsaw-test/pod-good.yaml +++ b/other/restrict-node-selection/.chainsaw-test/pod-good.yaml @@ -5,4 +5,4 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml index 273229789..67ef8da4b 100644 --- a/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-node-selection/.chainsaw-test/podcontroller-bad.yaml @@ -16,10 +16,11 @@ spec: app: busybox spec: nodeSelector: - foo: bar + matchLabels: + foo: bar containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -34,5 +35,5 @@ spec: nodeName: kind-control-plane containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - restartPolicy: OnFailure + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml b/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml index ba28ba4d3..f5d682100 100644 --- a/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-node-selection/.chainsaw-test/podcontroller-good.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -31,5 +31,5 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-node-selection/artifacthub-pkg.yml b/other/restrict-node-selection/artifacthub-pkg.yml index 1fe39ffa0..0e9f3f1c4 100644 --- a/other/restrict-node-selection/artifacthub-pkg.yml +++ b/other/restrict-node-selection/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 87d5b2c54ff483fca02c5605bcb9be7416ca45762035324b9bfc62d20c7bcbb1 +digest: 5de29662e13080d414e0381c82da17f65dc8818a835d66aa353c51b604b7c478 diff --git a/other/restrict-node-selection/restrict-node-selection.yaml b/other/restrict-node-selection/restrict-node-selection.yaml index 543e26579..95ad1c945 100644 --- a/other/restrict-node-selection/restrict-node-selection.yaml +++ b/other/restrict-node-selection/restrict-node-selection.yaml @@ -16,7 +16,7 @@ metadata: this policy is only designed to work on initial creation and not in background mode. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: restrict-nodeselector diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 9f02c6ee0..92b7018c8 100755 --- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-pod-controller-serviceaccount-updates status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml index 18bd07022..b8f88a8ad 100755 --- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-4.yaml @@ -16,6 +16,6 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox serviceAccountName: serviceaccount01 diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml index 2a3a3a751..5e04c53ee 100755 --- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-5.yaml @@ -8,7 +8,7 @@ spec: template: spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox restartPolicy: OnFailure serviceAccountName: serviceaccount01 diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml index cf7b4bea0..e0cb85dd6 100755 --- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-pod-controller-serviceaccount-updates.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-pod-controller-serviceaccount-updates - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-pod-controller-serviceaccount-updates.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -48,3 +40,10 @@ spec: file: cronjob-good-update.yaml - apply: file: deploy-good-update.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-pod-controller-serviceaccount-updates diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml index 80a45123c..035cb6a3c 100644 --- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/cronjob-bad-update.yaml @@ -11,5 +11,5 @@ spec: serviceAccountName: serviceaccount02 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml index 14a0fe7a6..8788cebd3 100644 --- a/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-bad-update.yaml @@ -18,4 +18,4 @@ spec: serviceAccountName: serviceaccount02 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml b/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml index 0ff3f5cf7..5dd332082 100644 --- a/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml +++ b/other/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 7339d1663d9447d7e8ece53460ab38514dc6828ca60844279ce84fed61c53540 +digest: e1653e8ecec5c0cb8c9ef44b431fdf0b1231605d8d8406a11a165561a763dfca diff --git a/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml b/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml index b9f82dce6..dd588c2f3 100644 --- a/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml +++ b/other/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml @@ -16,7 +16,7 @@ metadata: to Pod controllers if those updates modify the serviceAccountName field. Updates to Pods directly for this field are not possible as it is immutable once set. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: block-serviceaccount-updates diff --git a/other/restrict-pod-count-per-node/artifacthub-pkg.yml b/other/restrict-pod-count-per-node/artifacthub-pkg.yml index 6b526329e..cb6f7ed78 100644 --- a/other/restrict-pod-count-per-node/artifacthub-pkg.yml +++ b/other/restrict-pod-count-per-node/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: f2da36f1444861ff2de4385a814d6720a13ee89e794d1c12aa2af7aba3aa5129 +digest: 6213a01793e7c3de54e755c786b08ea7d1335a6c826137885be32182173f6c44 diff --git a/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml b/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml index 25142d6c0..d88f60997 100644 --- a/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml +++ b/other/restrict-pod-count-per-node/restrict-pod-count-per-node.yaml @@ -14,7 +14,7 @@ metadata: development cases. This policy restricts Pod count on a Node named `minikube` to be no more than 10. # pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: restrict-pod-count diff --git a/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 5008f0284..f6f90dfa1 100644 --- a/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-sa-automount-sa-token status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml b/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml index 86999c9c5..711231930 100644 --- a/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-sa-automount-sa-token/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-sa-automount-sa-token.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-sa-automount-sa-token - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-sa-automount-sa-token.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: bad-sa.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sa-automount-sa-token diff --git a/other/restrict-scale/artifacthub-pkg.yml b/other/restrict-scale/artifacthub-pkg.yml index 7b2c98bb5..6a6db795e 100644 --- a/other/restrict-scale/artifacthub-pkg.yml +++ b/other/restrict-scale/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Deployment" -digest: c2617db73bd8805c8e4ac8eb6a0a86ca203a97092d4e9f2d61229405e63a3a82 +digest: 80c2bc5cbe9081ae7ca6598f8ef435467bb487818df49a6b4c95e35f442be0e2 diff --git a/other/restrict-scale/restrict-scale.yaml b/other/restrict-scale/restrict-scale.yaml index 93f791819..e3ebfaeeb 100644 --- a/other/restrict-scale/restrict-scale.yaml +++ b/other/restrict-scale/restrict-scale.yaml @@ -18,7 +18,7 @@ metadata: of rules which can be used to limit the replica count both upon creation of a Deployment and when a scale operation is performed. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: # This rule can be used to limit scale operations based upon Deployment labels assuming the given label diff --git a/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml index acb40c325..f09ecb57a 100755 --- a/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-secret-role-verbs status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml b/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml index c3cb1663e..41dcf4425 100755 --- a/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-secret-role-verbs/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-secret-role-verbs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-secret-role-verbs - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-secret-role-verbs.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: role-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-secret-role-verbs diff --git a/other/restrict-secret-role-verbs/.kyverno-test/kyverno-test.yaml b/other/restrict-secret-role-verbs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index e4106c939..000000000 --- a/other/restrict-secret-role-verbs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-secret-role-verbs -policies: -- ../restrict-secret-role-verbs.yaml -resources: -- ../.chainsaw-test/cr-bad.yaml -- ../.chainsaw-test/cr-good.yaml -- ../.chainsaw-test/role-bad.yaml -- ../.chainsaw-test/role-good.yaml -results: -- kind: ClusterRole - policy: restrict-secret-role-verbs - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail - rule: secret-verbs -- kind: ClusterRole - policy: restrict-secret-role-verbs - resources: - - goodcr01 - - goodcr02 - - goodcr03 - result: pass - rule: secret-verbs -- kind: Role - policy: restrict-secret-role-verbs - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail - rule: secret-verbs -- kind: Role - policy: restrict-secret-role-verbs - resources: - - goodcr01 - - goodcr02 - - goodcr03 - result: pass - rule: secret-verbs - diff --git a/other/restrict-secret-role-verbs/artifacthub-pkg.yml b/other/restrict-secret-role-verbs/artifacthub-pkg.yml index 71616b822..57cd87034 100644 --- a/other/restrict-secret-role-verbs/artifacthub-pkg.yml +++ b/other/restrict-secret-role-verbs/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Security" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Role, ClusterRole, RBAC" -digest: 521df259b97560b55cc1b96a55aa5aadeae44496644e770e48ccf732a67454b8 +digest: 3c71693c6eb0ac3af7bf871d7c6b0e66518709a16c98d56a8f4a6b30f25c2106 diff --git a/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml b/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml index 847631de6..78c48a111 100644 --- a/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml +++ b/other/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml @@ -18,7 +18,7 @@ metadata: also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets or when also using a wildcard in the base API group. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: secret-verbs diff --git a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 885f95c16..8afc2f280 100755 --- a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-secrets-by-label status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml index f0709b46a..47915852a 100755 --- a/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,20 +7,11 @@ spec: steps: - name: step-01 try: - - apply: - file: permissions.yaml - apply: file: secret.yaml - - apply: - file: ../restrict-secrets-by-label.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-secrets-by-label - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-secrets-by-label.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -40,3 +30,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-secrets-by-label diff --git a/other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml b/other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml deleted file mode 100644 index 1150569d8..000000000 --- a/other/restrict-secrets-by-label/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:view - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" - rbac.kyverno.io/aggregate-to-reports-controller: "true" -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch diff --git a/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml b/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml index 4c57dbdab..ac106eaed 100644 --- a/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/pod-bad.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -22,9 +22,9 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -35,9 +35,9 @@ spec: key: foo containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -52,20 +52,20 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: bottom-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: top-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -80,20 +80,20 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: top-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -108,9 +108,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: not-secret-volume secret: diff --git a/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml b/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml index 07f7e709b..4aaa0d338 100644 --- a/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/pod-good.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -22,9 +22,9 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -35,9 +35,9 @@ spec: key: foo containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -52,20 +52,20 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: bottom-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: bottom-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -80,9 +80,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: secret-volume secret: @@ -95,20 +95,20 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-so-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: diff --git a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml index 2d7eaa2d4..6578bbd3d 100644 --- a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-bad.yaml @@ -17,17 +17,17 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: bottom-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -56,9 +56,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: secret-volume secret: @@ -76,17 +76,17 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: top-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -109,9 +109,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty-volume emptyDir: {} diff --git a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml index fec1aa792..3a8701e60 100644 --- a/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-secrets-by-label/.chainsaw-test/podcontroller-good.yaml @@ -17,20 +17,20 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-so-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -57,9 +57,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: secret-volume secret: @@ -77,20 +77,20 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: not-so-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -111,9 +111,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty-volume emptyDir: {} diff --git a/other/restrict-secrets-by-label/artifacthub-pkg.yml b/other/restrict-secrets-by-label/artifacthub-pkg.yml index e9892292d..c9d9d0fe9 100644 --- a/other/restrict-secrets-by-label/artifacthub-pkg.yml +++ b/other/restrict-secrets-by-label/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod, Secret" -digest: cac5d5e5de6d58442abd4e904d5d0f8e5b3f6173db4b0e5a2403a2cc85e84371 +digest: ed7a9afd18b3a9679c24da6d8715c0a678cf89010d5f78d266b57db38313dd55 diff --git a/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml b/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml index 6990dcc72..6a9cc2838 100644 --- a/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml +++ b/other/restrict-secrets-by-label/restrict-secrets-by-label.yaml @@ -17,7 +17,7 @@ metadata: that only Secrets not labeled with `status=protected` can be consumed by Pods. spec: background: false - validationFailureAction: Audit + validationFailureAction: audit rules: - name: secrets-lookup-from-env match: diff --git a/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 3e186f629..1dfdeb90d 100755 --- a/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-secrets-by-name status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml b/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml index e99a03411..c13e4e42b 100755 --- a/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-secrets-by-name/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-secrets-by-name.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-secrets-by-name - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-secrets-by-name.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-secrets-by-name diff --git a/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml b/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml index ccee7d259..e1dd9b7ef 100644 --- a/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-secrets-by-name/.chainsaw-test/pod-bad.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -22,9 +22,9 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -35,9 +35,9 @@ spec: key: foo containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -52,20 +52,20 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: safe-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: top-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -80,9 +80,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: not-secret-volume secret: diff --git a/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml b/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml index bff4c6b38..a184066bd 100644 --- a/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml +++ b/other/restrict-secrets-by-name/.chainsaw-test/pod-good.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -22,9 +22,9 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -35,9 +35,9 @@ spec: key: foo containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -52,20 +52,20 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: safe-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: safe-secret - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_SECRET valueFrom: @@ -80,9 +80,9 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty-volume emptyDir: {} diff --git a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml index eb30243ac..03aa8e484 100644 --- a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-bad.yaml @@ -17,17 +17,17 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: safe-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -56,9 +56,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: secret-volume secret: @@ -76,17 +76,17 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: top-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -109,9 +109,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty-volume emptyDir: {} diff --git a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml index cfbd62478..18dabc169 100644 --- a/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-secrets-by-name/.chainsaw-test/podcontroller-good.yaml @@ -17,17 +17,17 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: safe-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -56,9 +56,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: secret-volume secret: @@ -76,17 +76,17 @@ spec: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 envFrom: - secretRef: name: safe-secret - name: busybox02-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 env: - name: ENV_FOO value: "bar" @@ -109,9 +109,9 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty-volume emptyDir: {} diff --git a/other/restrict-secrets-by-name/artifacthub-pkg.yml b/other/restrict-secrets-by-name/artifacthub-pkg.yml index e9d1cfcde..ef4305ff1 100644 --- a/other/restrict-secrets-by-name/artifacthub-pkg.yml +++ b/other/restrict-secrets-by-name/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.21" kyverno/subject: "Pod, Secret" -digest: f7f69fc8b018d902fdc489a7de1edf2d38d19f35be677ef607a49666e9f04149 +digest: b7e99348eb0fad19369fadce638e4494f39819c020ca5acaa1ca8ad3fa72d35f diff --git a/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml b/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml index a0f324da4..d7989a36e 100644 --- a/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml +++ b/other/restrict-secrets-by-name/restrict-secrets-by-name.yaml @@ -18,7 +18,7 @@ metadata: result in a Secret being mounted. spec: background: false - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: safe-secrets-from-env match: diff --git a/other/restrict-service-account/artifacthub-pkg.yml b/other/restrict-service-account/artifacthub-pkg.yml index 138cbf43a..e07cd6af0 100644 --- a/other/restrict-service-account/artifacthub-pkg.yml +++ b/other/restrict-service-account/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod,ServiceAccount" -digest: 119b2007c7a6ca4706240ad186bff0f3583c2b6b9b9d9b244c8a21d082cbf0e7 +digest: 2e6f8d9217bc2296083d793d71409c60b9c20cfed55592d31c7a2d460c3b6ae9 diff --git a/other/restrict-service-account/restrict-service-account.yaml b/other/restrict-service-account/restrict-service-account.yaml index 0a53836e2..63788548e 100644 --- a/other/restrict-service-account/restrict-service-account.yaml +++ b/other/restrict-service-account/restrict-service-account.yaml @@ -18,7 +18,7 @@ metadata: specified is matched based on the image and name of the container. For example: 'sa-name: ["registry/image-name"]' spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-service-account diff --git a/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 07257ae91..8f2584462 100755 --- a/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-service-port-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-service-port-range status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml b/other/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml index c3d3a3e24..1ff827c9b 100755 --- a/other/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-service-port-range/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-service-port-range.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-service-port-range - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-service-port-range.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: svc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-service-port-range diff --git a/other/restrict-service-port-range/artifacthub-pkg.yml b/other/restrict-service-port-range/artifacthub-pkg.yml index 820c3e958..9a5add890 100644 --- a/other/restrict-service-port-range/artifacthub-pkg.yml +++ b/other/restrict-service-port-range/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Service" -digest: d6e7a0b8d467dc8f00d06e509209cd3dd90e97b42ffab8ef560b5ef7fbe1f531 +digest: fdd0c49e20e23a9aa4fb79712a0850b474421a33358c110ac586d1c169f66afd diff --git a/other/restrict-service-port-range/restrict-service-port-range.yaml b/other/restrict-service-port-range/restrict-service-port-range.yaml index 5113f7db0..feaacd485 100644 --- a/other/restrict-service-port-range/restrict-service-port-range.yaml +++ b/other/restrict-service-port-range/restrict-service-port-range.yaml @@ -17,7 +17,7 @@ metadata: This policy enforces that only the port range 32000 to 33000 may be used for Service resources. spec: - validationFailureAction: Audit + validationFailureAction: audit rules: - name: restrict-port-range match: diff --git a/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8dd985a78..671726afd 100755 --- a/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-storageclass status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml b/other/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml index 5b3838106..2a78a606c 100755 --- a/other/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-storageclass/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-storageclass.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-storageclass - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-storageclass.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: sc-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-storageclass diff --git a/other/restrict-storageclass/artifacthub-pkg.yml b/other/restrict-storageclass/artifacthub-pkg.yml index bbd67b17c..b291ad7ba 100644 --- a/other/restrict-storageclass/artifacthub-pkg.yml +++ b/other/restrict-storageclass/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Other, Multi-Tenancy" kyverno/subject: "StorageClass" -digest: 757dc74948bb948eb799a7cd02506980c6c4c79e2574c1ef5e3f79dbcf4cd2e7 +digest: 45f76a11eb13298cb775e980d8327414de5b7496e2f8c9c5b5f93c9c960a409d diff --git a/other/restrict-storageclass/restrict-storageclass.yaml b/other/restrict-storageclass/restrict-storageclass.yaml index e3fb73413..77a222a9e 100644 --- a/other/restrict-storageclass/restrict-storageclass.yaml +++ b/other/restrict-storageclass/restrict-storageclass.yaml @@ -15,7 +15,7 @@ metadata: a PersistentVolume cannot be reused across Namespaces. This policy requires StorageClasses set a reclaimPolicy of `Delete`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: storageclass-delete diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml index f0db745d7..ec8e34add 100755 --- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: validate-userid-groupid-fsgroup status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml index 9329d0e34..7c273b6eb 100755 --- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-usergroup-fsgroup-id.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: validate-userid-groupid-fsgroup - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-usergroup-fsgroup-id.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: validate-userid-groupid-fsgroup diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml index 6f5e811f9..39f787f33 100644 --- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml +++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-bad.yaml @@ -9,9 +9,9 @@ spec: fsGroup: 3000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -22,9 +22,9 @@ spec: fsGroup: 2000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -35,9 +35,9 @@ spec: runAsUser: 1000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -48,6 +48,6 @@ spec: runAsGroup: 4000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml index 8f55ad883..2c478309e 100644 --- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml +++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/pod-good.yaml @@ -9,6 +9,6 @@ spec: fsGroup: 2000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml index 4c55cd19d..4647f8bc8 100644 --- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml +++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-bad.yaml @@ -21,9 +21,9 @@ spec: fsGroup: 3000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -41,7 +41,7 @@ spec: fsGroup: 3000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml index 83bd236e3..b636710ad 100644 --- a/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml +++ b/other/restrict-usergroup-fsgroup-id/.chainsaw-test/podcontroller-good.yaml @@ -21,9 +21,9 @@ spec: fsGroup: 2000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -41,7 +41,7 @@ spec: fsGroup: 2000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 restartPolicy: OnFailure \ No newline at end of file diff --git a/other/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml b/other/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml index dbd6dbcdb..20704827f 100644 --- a/other/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml +++ b/other/restrict-usergroup-fsgroup-id/.kyverno-test/kyverno-test.yaml @@ -10,37 +10,18 @@ results: - kind: Pod policy: validate-userid-groupid-fsgroup resources: - - goodpod + - default/myapp-pod result: pass - rule: validate-userid + rule: validate-fsgroup - kind: Pod policy: validate-userid-groupid-fsgroup resources: - - goodpod + - default/myapp-pod result: pass rule: validate-groupid - kind: Pod policy: validate-userid-groupid-fsgroup resources: - - goodpod + - default/myapp-pod result: pass - rule: validate-fsgroup -- kind: Pod - policy: validate-userid-groupid-fsgroup - resources: - - badpod - result: fail rule: validate-userid -- kind: Pod - policy: validate-userid-groupid-fsgroup - resources: - - badpod - result: fail - rule: validate-groupid -- kind: Pod - policy: validate-userid-groupid-fsgroup - resources: - - badpod - result: fail - rule: validate-fsgroup - diff --git a/other/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml b/other/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml index 7e1ce1d5e..c9a02ddfd 100644 --- a/other/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml +++ b/other/restrict-usergroup-fsgroup-id/.kyverno-test/resource.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: goodpod + name: myapp-pod labels: app: myapp spec: @@ -11,20 +11,4 @@ spec: fsGroup: 2000 containers: - name: busy - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod - labels: - app: myapp -spec: - securityContext: - runAsUser: 3000 - runAsGroup: 1000 - fsGroup: 3000 - containers: - - name: busy - image: busybox - + image: busybox \ No newline at end of file diff --git a/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml b/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml index 4e3971dd4..f9cc87dc4 100644 --- a/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml +++ b/other/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 5d0262e16c46c10cb3eb0e211b33f363d12a8222780951b32a7b91e8b718b480 +digest: 6d9326c04e9bb93aac3b2a7d44c922d02032fc35cf9e06cb8174babd16916189 diff --git a/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml b/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml index 776dc75c3..37f8b2878 100644 --- a/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml +++ b/other/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml @@ -14,7 +14,7 @@ metadata: to make sure any file created in the volume will have the specified groupID. This policy validates that these fields are set to the defined values. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: validate-userid diff --git a/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml index f00b31b9c..f8b1749c0 100755 --- a/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-wildcard-resources status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml b/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml index bceb928d8..e8f6e5a40 100755 --- a/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-wildcard-resources/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-wildcard-resources.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-wildcard-resources - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-wildcard-resources.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: role-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-wildcard-resources diff --git a/other/restrict-wildcard-resources/.kyverno-test/kyverno-test.yaml b/other/restrict-wildcard-resources/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 497b788f3..000000000 --- a/other/restrict-wildcard-resources/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-wildcard-resources -policies: -- ../restrict-wildcard-resources.yaml -resources: -- ../.chainsaw-test/cr-bad.yaml -- ../.chainsaw-test/cr-good.yaml -- ../.chainsaw-test/role-bad.yaml -- ../.chainsaw-test/role-good.yaml -results: -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: ClusterRole - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: ClusterRole - resources: - - goodcr01 - - goodcr02 - - goodcr03 - - goodcr04 - - goodcr05 - result: pass -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: Role - resources: - - badcr01 - - badcr02 - - badcr03 - result: fail -- policy: restrict-wildcard-resources - rule: wildcard-resources - kind: Role - resources: - - goodcr01 - - goodcr02 - - goodcr03 - - goodcr04 - - goodcr05 - result: pass diff --git a/other/restrict-wildcard-resources/artifacthub-pkg.yml b/other/restrict-wildcard-resources/artifacthub-pkg.yml index e615875f1..83e9d11bb 100644 --- a/other/restrict-wildcard-resources/artifacthub-pkg.yml +++ b/other/restrict-wildcard-resources/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "ClusterRole, Role, RBAC" -digest: 311d2cd912524e95dd356dba1366967200954540388500e00a3772ff89f9e7ee +digest: 7a7dbb2922a03060c6eddd2b0a1f55aca4bc2651b271e036acac8aec45251f99 diff --git a/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml index 316f552c7..003404417 100644 --- a/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml +++ b/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml @@ -17,7 +17,7 @@ metadata: This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: wildcard-resources diff --git a/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 68363af9d..fe34e2e7e 100755 --- a/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-wildcard-verbs status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml b/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml index 22bee3507..cd16a81ab 100755 --- a/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml +++ b/other/restrict-wildcard-verbs/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-wildcard-verbs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-wildcard-verbs - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-wildcard-verbs.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: role-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-wildcard-verbs diff --git a/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml b/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index c3b046c4c..000000000 --- a/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-verbs -policies: - - ../restrict-wildcard-verbs.yaml -resources: - - resource.yaml -results: - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: empty-rules - kind: ClusterRole - result: pass - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: empty-rules - kind: Role - result: pass - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: omitted-rules - kind: ClusterRole - result: pass - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: omitted-rules - kind: Role - result: pass - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: wildcard-once - kind: ClusterRole - result: fail - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: wildcard-once - kind: Role - result: fail - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: wildcard-with-another-verb - kind: ClusterRole - result: fail - - policy: restrict-wildcard-verbs - rule: wildcard-verbs - resource: wildcard-with-another-verb - kind: Role - result: fail diff --git a/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml b/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml deleted file mode 100644 index a27a73479..000000000 --- a/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: empty-rules -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: empty-rules - namespace: test -rules: ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: omitted-rules ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: omitted-rules - namespace: test ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: wildcard-once -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: wildcard-once - namespace: test -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: wildcard-with-another-verb -rules: -- apiGroups: ["my-arbitrary-group"] - resources: ["my-resource"] - verbs: ["GET", "*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: wildcard-with-another-verb - namespace: test -rules: -- apiGroups: ["my-arbitrary-group"] - resources: ["my-resource"] - verbs: ["GET", "*"] diff --git a/other/restrict-wildcard-verbs/artifacthub-pkg.yml b/other/restrict-wildcard-verbs/artifacthub-pkg.yml index 4fd401fa9..096591d1e 100644 --- a/other/restrict-wildcard-verbs/artifacthub-pkg.yml +++ b/other/restrict-wildcard-verbs/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Security, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Role, ClusterRole, RBAC" -digest: fc70320b1c882684a48f67314bf2631e11b8ac040aa2c1a45b4d5c88e2e81e76 +digest: 3107969ac2e467ebca02514dd6c099b05b9294bc863e8e45b0d58e0ec5c1cbb6 diff --git a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml index ac0943c58..3bad86f7e 100644 --- a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml +++ b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml @@ -17,7 +17,7 @@ metadata: This policy blocks any Role or ClusterRole that contains a wildcard entry in the verbs list found in any rule. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: wildcard-verbs @@ -32,6 +32,6 @@ spec: deny: conditions: any: - - key: "{{ contains(to_array(request.object.rules[].verbs[]), '*') }}" + - key: "{{ contains(request.object.rules[].verbs[], '*') }}" operator: Equals - value: true + value: true \ No newline at end of file diff --git a/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml b/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml index 8b0249a92..b1f5a20b5 100755 --- a/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml +++ b/other/scale-deployment-zero/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -14,9 +13,11 @@ spec: try: - script: content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:nodes/system\:thisisjunk/g' | kubectl apply -f - - - sleep: - duration: 5s + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:nodes/system\:thisisjunk/g' - | kubectl apply -f - + - command: + args: + - "5" + entrypoint: sleep - name: step-02 try: - apply: @@ -39,6 +40,8 @@ spec: try: - script: content: | - kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:thisisjunk/system\:nodes/g' | kubectl apply -f - - - sleep: - duration: 5s + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/system\:thisisjunk/system\:nodes/g' - | kubectl apply -f - + - command: + args: + - "5" + entrypoint: sleep diff --git a/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml b/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml index a5890b2af..07da4412e 100644 --- a/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml +++ b/other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: scale-deployment-zero status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/scale-deployment-zero/artifacthub-pkg.yml b/other/scale-deployment-zero/artifacthub-pkg.yml index 2e6845010..7d9ae1a7d 100644 --- a/other/scale-deployment-zero/artifacthub-pkg.yml +++ b/other/scale-deployment-zero/artifacthub-pkg.yml @@ -3,9 +3,7 @@ version: 1.0.0 displayName: Scale Deployment to Zero createdAt: "2023-04-10T20:30:07.000Z" description: >- - If a Deployment's Pods are seen crashing multiple times it usually indicates there is an issue that must be manually resolved. Removing the failing Pods and marking the Deployment is often a useful troubleshooting step. This policy watches existing Pods and if any are observed to have restarted more than once, indicating a potential crashloop, Kyverno scales its parent deployment to zero and writes an annotation signaling to an SRE team that troubleshooting is needed. It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.This policy scales down deployments with frequently restarting pods by monitoring `Pod.status` for `restartCount` - updates, which are performed by the kubelet. No `resourceFilter` modifications are needed if matching on `Pod`and `Pod.status`. - Note: For this policy to work, you must modify Kyverno's ConfigMap to remove or change the line `excludeGroups: system:nodes` since version 1.10. + If a Deployment's Pods are seen crashing multiple times it usually indicates there is an issue that must be manually resolved. Removing the failing Pods and marking the Deployment is often a useful troubleshooting step. This policy watches existing Pods and if any are observed to have restarted more than once, indicating a potential crashloop, Kyverno scales its parent deployment to zero and writes an annotation signaling to an SRE team that troubleshooting is needed. It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. install: |- ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/scale-deployment-zero/scale-deployment-zero.yaml @@ -14,13 +12,11 @@ keywords: - kyverno - other readme: | - If a Deployment's Pods are seen crashing multiple times it usually indicates there is an issue that must be manually resolved. Removing the failing Pods and marking the Deployment is often a useful troubleshooting step. This policy watches existing Pods and if any are observed to have restarted more than once, indicating a potential crashloop, Kyverno scales its parent deployment to zero and writes an annotation signaling to an SRE team that troubleshooting is needed. It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. This policy scales down deployments with frequently restarting pods by monitoring `Pod.status` for `restartCount` - updates, which are performed by the kubelet. No `resourceFilter` modifications are needed if matching on `Pod` and `Pod.status`. - Note: For this policy to work, you must modify Kyverno's ConfigMap to remove or change the line `excludeGroups: system:nodes` since version 1.10. + If a Deployment's Pods are seen crashing multiple times it usually indicates there is an issue that must be manually resolved. Removing the failing Pods and marking the Deployment is often a useful troubleshooting step. This policy watches existing Pods and if any are observed to have restarted more than once, indicating a potential crashloop, Kyverno scales its parent deployment to zero and writes an annotation signaling to an SRE team that troubleshooting is needed. It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Deployment" -digest: 4f6fff86d18795edfb1ba656ea055a05a31bc711787aec1e87c84c11f27503e2 +digest: 29025a98c509c07e1cc2d00b311d828382c14ce218383ba8b3da7269a7253343 diff --git a/other/scale-deployment-zero/scale-deployment-zero.yaml b/other/scale-deployment-zero/scale-deployment-zero.yaml index dd72902b9..03aa883a4 100644 --- a/other/scale-deployment-zero/scale-deployment-zero.yaml +++ b/other/scale-deployment-zero/scale-deployment-zero.yaml @@ -19,11 +19,6 @@ metadata: and writes an annotation signaling to an SRE team that troubleshooting is needed. It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. - This policy scales down deployments with frequently restarting pods by monitoring `Pod.status` - for `restartCount`updates, which are performed by the kubelet. No `resourceFilter` modifications - are needed if matching on `Pod`and `Pod.status`. - Note: For this policy to work, you must modify Kyverno's ConfigMap to remove or change the line - `excludeGroups: system:nodes` since version 1.10. spec: rules: - name: annotate-deployment-rule diff --git a/other/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml b/other/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml index cfd60a81a..7dcf1a2fe 100755 --- a/other/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml +++ b/other/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml index 4483c6711..bf7b29028 100644 --- a/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml +++ b/other/spread-pods-across-topology/.chainsaw-test/deploy.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -36,7 +36,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -57,7 +57,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox topologySpreadConstraints: - maxSkew: 2 diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml index 35d1d441c..363c819bf 100644 --- a/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml +++ b/other/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox topologySpreadConstraints: - maxSkew: 1 diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml index ccc57744e..ecc414a6d 100644 --- a/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml +++ b/other/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml @@ -15,7 +15,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox topologySpreadConstraints: - maxSkew: 1 diff --git a/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml b/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml index 7526987d0..e459cc5da 100644 --- a/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml +++ b/other/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml @@ -16,7 +16,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox topologySpreadConstraints: - maxSkew: 1 diff --git a/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml b/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml index e2ac9e7c7..351e8f691 100644 --- a/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml +++ b/other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: spread-pods status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml b/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml index abd1f5899..04b0944ac 100755 --- a/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml +++ b/other/sync-secrets/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,8 +7,6 @@ spec: steps: - name: step-01 try: - - apply: - file: permissions.yaml - apply: file: ../sync-secrets.yaml - assert: diff --git a/other/sync-secrets/.chainsaw-test/permissions.yaml b/other/sync-secrets/.chainsaw-test/permissions.yaml deleted file mode 100644 index 20337067e..000000000 --- a/other/sync-secrets/.chainsaw-test/permissions.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:view - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" - rbac.kyverno.io/aggregate-to-reports-controller: "true" - rbac.kyverno.io/aggregate-to-admission-controller: "true" -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:secrets:manage - labels: - rbac.kyverno.io/aggregate-to-background-controller: "true" -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - create - - update - - delete \ No newline at end of file diff --git a/other/sync-secrets/.chainsaw-test/policy-ready.yaml b/other/sync-secrets/.chainsaw-test/policy-ready.yaml index d284cd3e0..ba880653c 100644 --- a/other/sync-secrets/.chainsaw-test/policy-ready.yaml +++ b/other/sync-secrets/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: sync-secrets status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 42ae17e55..080e44efe 100755 --- a/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: topologyspreadconstraints-policy status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml index 5b0e9299c..3363ebe7e 100755 --- a/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml +++ b/other/topologyspreadconstraints-policy/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../topologyspreadconstraints-policy.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: topologyspreadconstraints-policy - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../topologyspreadconstraints-policy.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -29,3 +21,10 @@ spec: - check: ($error != null): true file: podcontrollers-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: topologyspreadconstraints-policy diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml index 040170cce..c704109f2 100644 --- a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml +++ b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-bad.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 topologySpreadConstraints: - maxSkew: 1 topologyKey: foo.bar/test @@ -49,7 +49,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 topologySpreadConstraints: - maxSkew: 1 topologyKey: foo.bar/test @@ -82,4 +82,4 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml index 712dc9937..9f9c9ad53 100644 --- a/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml +++ b/other/topologyspreadconstraints-policy/.chainsaw-test/podcontrollers-good.yaml @@ -16,7 +16,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 topologySpreadConstraints: - maxSkew: 1 topologyKey: foo.bar/test @@ -55,7 +55,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 topologySpreadConstraints: - maxSkew: 1 topologyKey: foo.bar/test @@ -88,4 +88,4 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/other/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml b/other/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml index d1e1c210e..e5d9efa7e 100644 --- a/other/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml +++ b/other/topologyspreadconstraints-policy/.kyverno-test/kyverno-test.yaml @@ -14,20 +14,20 @@ results: - kind: StatefulSet policy: topologyspreadconstraints-policy resources: - - monitoring/badss01 - - monitoring/badss02 - - monitoring/badss03 + - monitoring/fail1 + - monitoring/fail2 + - monitoring/fail3 result: fail rule: spread-pods - kind: StatefulSet policy: topologyspreadconstraints-policy resources: - - monitoring/goodss01 + - monitoring/pass result: pass rule: spread-pods - kind: StatefulSet policy: topologyspreadconstraints-policy resources: - - monitoring/skipss01 + - monitoring/skip result: skip rule: spread-pods diff --git a/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml b/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml index 065a47ff5..143b295f1 100644 --- a/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml +++ b/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail1.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: badss01 + name: fail1 namespace: monitoring labels: app: thanos-memcached diff --git a/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml b/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml index 0031995fc..f61c1fab8 100644 --- a/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml +++ b/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail2.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: badss02 + name: fail2 namespace: monitoring labels: app: thanos-memcached diff --git a/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml b/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml index d88b17bf3..fc763ab04 100644 --- a/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml +++ b/other/topologyspreadconstraints-policy/.kyverno-test/resource-fail3.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: badss03 + name: fail3 namespace: monitoring labels: app: thanos-memcached diff --git a/other/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml b/other/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml index 0310e6b00..4e5f55339 100644 --- a/other/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml +++ b/other/topologyspreadconstraints-policy/.kyverno-test/resource-pass.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: goodss01 + name: pass namespace: monitoring labels: app: thanos-memcached diff --git a/other/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml b/other/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml index 6761e7076..746608c08 100644 --- a/other/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml +++ b/other/topologyspreadconstraints-policy/.kyverno-test/resource-skip.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: skipss01 + name: skip namespace: monitoring labels: app: thanos-memcached diff --git a/other/topologyspreadconstraints-policy/artifacthub-pkg.yml b/other/topologyspreadconstraints-policy/artifacthub-pkg.yml index ecd64026c..aea39aa02 100644 --- a/other/topologyspreadconstraints-policy/artifacthub-pkg.yml +++ b/other/topologyspreadconstraints-policy/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Deployment, StatefulSet" -digest: 1c1b582664e27ee557fb109b537101f2f262fb73d1d2fe882c0eb5a3dc3dd4ba +digest: 041afd3ce5efff6a08d60eed81a6922a1877a229a64c94a801cfa5fbc082c32c diff --git a/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml b/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml index 5d5f5ffc7..657d791eb 100644 --- a/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml +++ b/other/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml @@ -20,7 +20,7 @@ metadata: spec: background: true failurePolicy: Ignore - validationFailureAction: Audit + validationFailureAction: audit rules: - name: spread-pods match: diff --git a/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml index dbf46af8a..a42b5ae27 100755 --- a/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: unique-ingress-host-and-path status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-test.yaml b/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-test.yaml index 5b7683409..679ddb020 100755 --- a/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-test.yaml +++ b/other/unique-ingress-host-and-path/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ingress.yaml - - apply: - file: ../unique-ingress-host-and-path.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: unique-ingress-host-and-path - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../unique-ingress-host-and-path.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: unique-ingress-host-and-path diff --git a/other/unique-ingress-host-and-path/artifacthub-pkg.yml b/other/unique-ingress-host-and-path/artifacthub-pkg.yml index 9a6d32d92..5bf072d02 100644 --- a/other/unique-ingress-host-and-path/artifacthub-pkg.yml +++ b/other/unique-ingress-host-and-path/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Ingress" -digest: 830c9b4883a2a64f2da0ea693fd30c3a352d592e9971b7627e166c66e17d5c40 +digest: 14c42f5e4f27f6ab33c50d7efc900f289b326ef96137464f4431d1a6ffdd7a4f diff --git a/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml b/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml index 63b800890..c95021467 100644 --- a/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml +++ b/other/unique-ingress-host-and-path/unique-ingress-host-and-path.yaml @@ -16,7 +16,7 @@ metadata: This policy ensures that no Ingress can be created or updated unless it is globally unique with respect to host plus path combination. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-host-path-combo diff --git a/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml index faa8b2142..c2b93df17 100755 --- a/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: unique-ingress-path status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/other/unique-ingress-paths/.chainsaw-test/chainsaw-test.yaml b/other/unique-ingress-paths/.chainsaw-test/chainsaw-test.yaml index aa3c2ec5e..659e7a019 100755 --- a/other/unique-ingress-paths/.chainsaw-test/chainsaw-test.yaml +++ b/other/unique-ingress-paths/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -10,16 +9,9 @@ spec: try: - apply: file: ingress.yaml - - apply: - file: ../unique-ingress-paths.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: unique-ingress-path - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../unique-ingress-paths.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -31,3 +23,10 @@ spec: - check: ($error != null): true file: ingress-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: unique-ingress-path diff --git a/other/unique-ingress-paths/artifacthub-pkg.yml b/other/unique-ingress-paths/artifacthub-pkg.yml index 674e1ed86..8b2515b0e 100644 --- a/other/unique-ingress-paths/artifacthub-pkg.yml +++ b/other/unique-ingress-paths/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Ingress" -digest: a785d7bf1c1f02d9db27ca15873b81a3f93ca68ac2ad311415ecdc00b8d75810 +digest: b7d6475c0f1a2e885ffeec1b6840bfca32b8d690dbefe6646d3dca6b78fdc7b2 diff --git a/other/unique-ingress-paths/unique-ingress-paths.yaml b/other/unique-ingress-paths/unique-ingress-paths.yaml index c710ba6d6..8493df3ab 100644 --- a/other/unique-ingress-paths/unique-ingress-paths.yaml +++ b/other/unique-ingress-paths/unique-ingress-paths.yaml @@ -16,7 +16,7 @@ metadata: existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of /foo/baz). spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-path diff --git a/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml index dcfb7646c..160b7ebbd 100755 --- a/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml +++ b/other/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml @@ -19,7 +19,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - image: vault:1.2.3 name: vault-agent diff --git a/other/update-image-tag/.chainsaw-test/chainsaw-test.yaml b/other/update-image-tag/.chainsaw-test/chainsaw-test.yaml index be7b2eb81..3b5d93509 100755 --- a/other/update-image-tag/.chainsaw-test/chainsaw-test.yaml +++ b/other/update-image-tag/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/other/update-image-tag/.chainsaw-test/deploy.yaml b/other/update-image-tag/.chainsaw-test/deploy.yaml index f952b61a5..f24157785 100644 --- a/other/update-image-tag/.chainsaw-test/deploy.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy.yaml @@ -19,7 +19,7 @@ spec: app: busybox spec: containers: - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox - name: vault-agent image: vault:1.2.3 @@ -46,8 +46,8 @@ spec: spec: containers: - name: vault-agent - image: ghcr.io/kyverno/test-busybox:1.3.5 - - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.3.5 + - image: busybox:1.35 name: busybox --- apiVersion: apps/v1 @@ -71,7 +71,7 @@ spec: spec: containers: - name: vault-agent - image: ghcr.io/kyverno/test-busybox:1.3.5 + image: busybox:1.3.5 --- apiVersion: apps/v1 kind: Deployment @@ -92,4 +92,4 @@ spec: spec: containers: - name: vault-agent - image: ghcr.io/kyverno/test-busybox:1.3.5 \ No newline at end of file + image: busybox:1.3.5 \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml b/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml index 43e94aab8..e526fa97e 100644 --- a/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml @@ -21,5 +21,5 @@ spec: containers: - name: vault-agent image: vault:1.6.0 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml b/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml index 124682ee4..1beaf0827 100644 --- a/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy00-patched.yaml @@ -21,5 +21,5 @@ spec: containers: - name: vault-agent image: vault:1.5.4 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml b/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml index f1ba65bd5..9bc1b1754 100644 --- a/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml @@ -21,5 +21,5 @@ spec: containers: - name: vault-agent image: vault:1.6.0 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml b/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml index cfa7142f9..075665308 100644 --- a/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy01-patched.yaml @@ -21,5 +21,5 @@ spec: containers: - name: vault-agent image: vault:1.5.4 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml b/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml index 627ff5fe4..b4554a24f 100644 --- a/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml @@ -21,5 +21,5 @@ spec: containers: - name: vault-agent image: vault:1.6.0 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml b/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml index 51a01f15d..4c3d98b38 100644 --- a/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml +++ b/other/update-image-tag/.chainsaw-test/deploy02-patched.yaml @@ -21,5 +21,5 @@ spec: containers: - name: vault-agent image: vault:1.5.4 - - image: ghcr.io/kyverno/test-busybox:1.35 + - image: busybox:1.35 name: busybox \ No newline at end of file diff --git a/other/update-image-tag/.chainsaw-test/policy-ready.yaml b/other/update-image-tag/.chainsaw-test/policy-ready.yaml index 9f7da58fa..c1e1c3f8d 100644 --- a/other/update-image-tag/.chainsaw-test/policy-ready.yaml +++ b/other/update-image-tag/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: update-image-tag status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/other/verify-image-cve-2022-42889/artifacthub-pkg.yml b/other/verify-image-cve-2022-42889/artifacthub-pkg.yml index f7b2f1955..1cbeaf83b 100644 --- a/other/verify-image-cve-2022-42889/artifacthub-pkg.yml +++ b/other/verify-image-cve-2022-42889/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Software Supply Chain Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 2760f77b5695c74d2a6a02f0a5be1ad32dcf89bb76007ef7ef22e3fce350a669 +digest: 2c0122c8dcdabb0170d567011389e734e1c26295e09a032f55682440b8fd0620 diff --git a/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml b/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml index 01a357bf7..a5322b573 100644 --- a/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml +++ b/other/verify-image-cve-2022-42889/verify-image-cve-2022-42889.yaml @@ -19,7 +19,7 @@ metadata: package. Using this for your own purposes will require customizing the `imageReferences`, `subject`, and `issuer` fields based on your image signatures and attestations. spec: - validationFailureAction: Audit + validationFailureAction: audit webhookTimeoutSeconds: 10 rules: - name: cve-2022-42889 diff --git a/other/verify-image-gcpkms/artifacthub-pkg.yml b/other/verify-image-gcpkms/artifacthub-pkg.yml index 8230589d8..2457c1b3e 100644 --- a/other/verify-image-gcpkms/artifacthub-pkg.yml +++ b/other/verify-image-gcpkms/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Software Supply Chain Security" kyverno/subject: "Pod" -digest: c57410fff68cc13d077c230c5e275472c71879173577d7dfe129a4a61e37caa6 +digest: fa0df7562cf397dc3115deeabb85bb80d2d5aeb6dead376122628d4c97dc739c diff --git a/other/verify-image-gcpkms/verify-image-gcpkms.yaml b/other/verify-image-gcpkms/verify-image-gcpkms.yaml index 7ee8e2701..8ffab7532 100644 --- a/other/verify-image-gcpkms/verify-image-gcpkms.yaml +++ b/other/verify-image-gcpkms/verify-image-gcpkms.yaml @@ -16,7 +16,7 @@ metadata: its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: verify-image diff --git a/other/verify-image-slsa/artifacthub-pkg.yml b/other/verify-image-slsa/artifacthub-pkg.yml index e7dd5fa00..f59d4fa08 100644 --- a/other/verify-image-slsa/artifacthub-pkg.yml +++ b/other/verify-image-slsa/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Software Supply Chain Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 71468d92deb1f7a812ea584f2ce92002279fb67237d414a55911860497317349 +digest: 74a49f461828bb48c6557309059077c5b7cfb801b85af44280ad0f489c27ac3e diff --git a/other/verify-image-slsa/verify-image-slsa.yaml b/other/verify-image-slsa/verify-image-slsa.yaml index 1b25025bf..8a45095e3 100644 --- a/other/verify-image-slsa/verify-image-slsa.yaml +++ b/other/verify-image-slsa/verify-image-slsa.yaml @@ -18,7 +18,7 @@ metadata: when produced through GitHub Actions. It requires configuration based upon your own values. spec: - validationFailureAction: Audit + validationFailureAction: audit webhookTimeoutSeconds: 30 rules: - name: check-slsa-keyless diff --git a/other/verify-image-with-multi-keys/artifacthub-pkg.yml b/other/verify-image-with-multi-keys/artifacthub-pkg.yml index f75f759ff..886ef0e86 100644 --- a/other/verify-image-with-multi-keys/artifacthub-pkg.yml +++ b/other/verify-image-with-multi-keys/artifacthub-pkg.yml @@ -12,11 +12,11 @@ keywords: - kyverno - Software Supply Chain Security readme: | - There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap. + There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `key` in the `default` Namespace and also a Namespace key in the same ConfigMap. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Software Supply Chain Security" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: bdc70bf5d50bcf20a110d0d0af6992f5d0f2d426e8edab84a8436c7d1ec97af8 +digest: 14cc8946fcc7d3141270826f036b28226c88c5d8e93ba475b1523e90512a281b diff --git a/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml b/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml index 1d4f2bd1c..2c1592bde 100644 --- a/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml +++ b/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml @@ -15,10 +15,10 @@ metadata: the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" - key in a ConfigMap called `keys` in the `default` Namespace + key in a ConfigMap called `key` in the `default` Namespace and also a Namespace key in the same ConfigMap. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: check-image-with-two-keys @@ -42,4 +42,4 @@ spec: - keys: publicKeys: "{{ keys.data.production }}" - keys: - publicKeys: "{{ keys.data.{{request.namespace}} }}" + publicKeys: "{{ keys.data.{{request.namespace}} }}" \ No newline at end of file diff --git a/other/verify-image/artifacthub-pkg.yml b/other/verify-image/artifacthub-pkg.yml index 6d7751d2e..f1b8a5397 100644 --- a/other/verify-image/artifacthub-pkg.yml +++ b/other/verify-image/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Software Supply Chain Security, EKS Best Practices" kyverno/subject: "Pod" -digest: 40063592a49e22a2f9b96a09c8e5202feb31818d0b6c1787d80ce3416d3e6898 +digest: a8736ddddb89acaa42ad54420b84992be6d27d39ea0f404f93cbd82a916d6043 diff --git a/other/verify-image/verify-image.yaml b/other/verify-image/verify-image.yaml index 02f0db0e7..08357fe20 100644 --- a/other/verify-image/verify-image.yaml +++ b/other/verify-image/verify-image.yaml @@ -16,7 +16,7 @@ metadata: its signature against the provided public key. This policy serves as an illustration for how to configure a similar rule and will require replacing with your image(s) and keys. spec: - validationFailureAction: Enforce + validationFailureAction: enforce background: false rules: - name: verify-image diff --git a/other/verify-manifest-integrity/artifacthub-pkg.yml b/other/verify-manifest-integrity/artifacthub-pkg.yml index e56837352..765697fc0 100644 --- a/other/verify-manifest-integrity/artifacthub-pkg.yml +++ b/other/verify-manifest-integrity/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Deployment" -digest: 0a6c2164a5d6aefdbd14b48d0698ab886a687fe456c73e1bac7f72a7e975c24e +digest: 69902d8be3696a25da697f19dce03c9d5e7b8505e1b9ffacab282c5a09004cec diff --git a/other/verify-manifest-integrity/verify-manifest-integrity.yaml b/other/verify-manifest-integrity/verify-manifest-integrity.yaml index 31eb490c7..33fbfb05d 100644 --- a/other/verify-manifest-integrity/verify-manifest-integrity.yaml +++ b/other/verify-manifest-integrity/verify-manifest-integrity.yaml @@ -19,7 +19,7 @@ metadata: the expected key but ignores the `spec.replicas` field allowing other teams to change just this value. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: verify-deployment-allow-replicas diff --git a/other/verify-sbom-cyclonedx/artifacthub-pkg.yml b/other/verify-sbom-cyclonedx/artifacthub-pkg.yml index 0e70c328b..5b23662b1 100644 --- a/other/verify-sbom-cyclonedx/artifacthub-pkg.yml +++ b/other/verify-sbom-cyclonedx/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Software Supply Chain Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 330ef8f4b5e7dda5105cd384d12da2e091c62c8c1b553897f2d66edebea17b55 +digest: c96b68cc7e56de0f391ef9fd673bb0f9c372370f4a9f07b7ca3aedba2b2f6628 diff --git a/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml b/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml index 0242e4ad3..934d11b52 100644 --- a/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml +++ b/other/verify-sbom-cyclonedx/verify-sbom-cyclonedx.yaml @@ -18,7 +18,7 @@ metadata: and was signed by the expected subject and issuer when produced through GitHub Actions and using Cosign's keyless signing. It requires configuration based upon your own values. spec: - validationFailureAction: Audit + validationFailureAction: audit webhookTimeoutSeconds: 30 rules: - name: check-sbom diff --git a/other/verify-vpa-target/.chainsaw-test/bad.yaml b/other/verify-vpa-target/.chainsaw-test/bad.yaml deleted file mode 100644 index a94537abe..000000000 --- a/other/verify-vpa-target/.chainsaw-test/bad.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: bad01 -spec: - targetRef: - apiVersion: apps/v1 - kind: Foo - name: foobar - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: bad02 -spec: - targetRef: - apiVersion: apps/v1 - kind: deployment - name: foobar - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: bad03 -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: nothere - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: bad04 -spec: - targetRef: - apiVersion: apps/v1 - kind: DaemonSet - name: busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: bad05 -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: busybox - updatePolicy: - updateMode: Auto ---- diff --git a/other/verify-vpa-target/.chainsaw-test/chainsaw-test.yaml b/other/verify-vpa-target/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 533f09667..000000000 --- a/other/verify-vpa-target/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: verify-vpa-target -spec: - steps: - - name: 01 - Create policy and Enforce - try: - - apply: - file: ../verify-vpa-target.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: verify-vpa-target - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: 02 - Create the prerequisite Pod controllers - try: - - apply: - file: prereq.yaml - - name: 03 - Try to create bad VPAs - try: - - apply: - file: bad.yaml - expect: - - check: - ($error != null): true - - name: 04 - Create good VPAs - try: - - apply: - file: good.yaml diff --git a/other/verify-vpa-target/.chainsaw-test/good.yaml b/other/verify-vpa-target/.chainsaw-test/good.yaml deleted file mode 100644 index ad0b919b6..000000000 --- a/other/verify-vpa-target/.chainsaw-test/good.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: good01 -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: good02 -spec: - targetRef: - apiVersion: apps/v1 - kind: DaemonSet - name: ds-busybox - updatePolicy: - updateMode: Auto ---- -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: good03 -spec: - targetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: ss-busybox - updatePolicy: - updateMode: Auto ---- diff --git a/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml b/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index dff10bd82..000000000 --- a/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-vpa-target -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/other/verify-vpa-target/.chainsaw-test/prereq.yaml b/other/verify-vpa-target/.chainsaw-test/prereq.yaml deleted file mode 100644 index b265f78da..000000000 --- a/other/verify-vpa-target/.chainsaw-test/prereq.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: busybox -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ds-busybox -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: ss-busybox -spec: - selector: - matchLabels: - app: busybox - serviceName: busyservice - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: ghcr.io/kyverno/test-busybox:latest - name: busybox - command: - - "sleep" - - "3000" \ No newline at end of file diff --git a/other/verify-vpa-target/artifacthub-pkg.yml b/other/verify-vpa-target/artifacthub-pkg.yml deleted file mode 100644 index 3796c3c3c..000000000 --- a/other/verify-vpa-target/artifacthub-pkg.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: verify-vpa-target -version: 1.0.0 -displayName: Verify VerticalPodAutoscaler Target -createdAt: "2024-03-09T13:10:00.000Z" -description: >- - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to ensure that the target resource exists or that the target - kind is specified correctly. This policy contains two rules, the first of which verifies that the - kind is specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet, which helps avoid typos. - The second rule verifies that the target resource exists before allowing the VPA to be created. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/verify-vpa-target/verify-vpa-target.yaml - ``` -keywords: - - kyverno - - other -readme: | - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to ensure that the target resource exists or that the target - kind is specified correctly. This policy contains two rules, the first of which verifies that the - kind is specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet, which helps avoid typos. - The second rule verifies that the target resource exists before allowing the VPA to be created. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Other" - kyverno/kubernetesVersion: "1.27" - kyverno/subject: "VerticalPodAutoscaler" -digest: e29db2906051073623b252af190282c4523f657214b149cb9366b764f201a489 diff --git a/other/verify-vpa-target/verify-vpa-target.yaml b/other/verify-vpa-target/verify-vpa-target.yaml deleted file mode 100644 index 285afbb9c..000000000 --- a/other/verify-vpa-target/verify-vpa-target.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: verify-vpa-target - annotations: - policies.kyverno.io/title: Verify VerticalPodAutoscaler Target - policies.kyverno.io/category: Other - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.4 - kyverno.io/kubernetes-version: "1.27" - policies.kyverno.io/subject: VerticalPodAutoscaler - policies.kyverno.io/description: >- - VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. - It requires defining a specific target resource by kind and name. There are no built-in - validation checks by the VPA controller to ensure that the target resource exists or that the target - kind is specified correctly. This policy contains two rules, the first of which verifies that the - kind is specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet, which helps avoid typos. - The second rule verifies that the target resource exists before allowing the VPA to be created. -spec: - validationFailureAction: Audit - background: false - rules: - - name: verify-kind-name - match: - any: - - resources: - kinds: - - VerticalPodAutoscaler - operations: - - CREATE - validate: - message: >- - The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet. - pattern: - spec: - targetRef: - kind: Deployment | StatefulSet | ReplicaSet | DaemonSet - - name: check-targetref - match: - any: - - resources: - kinds: - - VerticalPodAutoscaler - operations: - - CREATE - preconditions: - all: - - key: - - Deployment - - StatefulSet - - ReplicaSet - - DaemonSet - operator: AnyIn - value: "{{ request.object.spec.targetRef.kind }}" - context: - # Builds a mapping of the target kind to the plural form of the resource to be used in the API call. - - name: map - variable: - value: - Deployment: deployments - StatefulSet: statefulsets - ReplicaSet: replicasets - DaemonSet: daemonsets - - name: targetkind - variable: - jmesPath: request.object.spec.targetRef.kind - - name: targets - apiCall: - urlPath: "/apis/apps/v1/namespaces/{{ request.namespace }}/{{ map.{{targetkind}} }}" - jmesPath: "items[].metadata.name" - validate: - message: >- - The target {{ request.object.spec.targetRef.kind }} named - {{ request.object.spec.targetRef.name }} does not exist in the - {{ request.namespace }} namespace. - deny: - conditions: - all: - - key: "{{ request.object.spec.targetRef.name }}" - operator: AnyNotIn - value: "{{ targets }}" diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..5c1ca4056 --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml index 9b73b5a5b..a718cb05c 100755 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-capabilities spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-capabilities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-capabilities - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index bbaf3bdc0..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,187 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CAP_NET_RAW - - MKNOD - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] - drop: - - "ALL" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CHOWN - - MKNOD - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - drop: - - "ALL" - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "CAP_NET_RAW", "FOWNER"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "CAP_SETPCAP", "SETFCAP", "FOWNER"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04-new -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["CAP_NET_RAW", "CAP_SYS_ADMIN", "NET_ADMIN"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SYS_ADMIN \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml deleted file mode 100644 index d7dec96bc..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CHOWN - - MKNOD - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] - drop: - - "ALL" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CHOWN - - MKNOD - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - drop: - - "ALL" - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 9307c1c14..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,377 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - NET_ADMIN - - MKNOD - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "CAP_NET_RAW", "SETFCAP", "FOWNER"] - drop: - - "ALL" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CHOWN - - MKNOD - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "CAP_SYS_ADMIN", "KILL", "SETGID"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] - drop: - - "ALL" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SYS_ADMIN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SYS_ADMIN ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index eb8386d5d..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,338 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CHOWN - - MKNOD - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] - drop: - - "ALL" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - AUDIT_WRITE - - CHOWN - - MKNOD - containers: - - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] - drop: - - "ALL" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index ab17d56d2..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/kyverno-test.yaml index 9f5a9450b..8baf87795 100644 --- a/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-capabilities.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-capabilities/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-capabilities diff --git a/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/resource.yaml deleted file mode 100644 index 304573c44..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/.kyverno-test/resource.yaml +++ /dev/null @@ -1,777 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SYS_ADMIN ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SYS_ADMIN ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SYS_ADMIN ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - DAC_OVERRIDE - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - SETGID diff --git a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml index e1b03f650..0dcf744a6 100644 --- a/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-capabilities/artifacthub-pkg.yml @@ -17,7 +17,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" - kyverno/kubernetesVersion: "1.26-1.27" + kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 581bbe2061d08871889e18bc5a6f58102da467d4fa164084970d96ab2ef3c202 -createdAt: "2024-08-21T00:22:33Z" +digest: 6a0ace9b1f5b3f25b34117db4936ba32c4fcbbdfe3d0dba9e61b6152dede3a53 +createdAt: "2023-12-03T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml index b423f426b..fc2a7e7e9 100644 --- a/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/pod-security-cel/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -21,21 +21,40 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allowedCapabilities - expression: "['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT']" - - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - expression: >- - variables.allContainers.all(container, - container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability == '' || - capability in variables.allowedCapabilities)) + object.spec.containers.all(container, + !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + container.securityContext.capabilities.add.all(capability, + ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + container.securityContext.capabilities.add.all(capability, + ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) + message: >- + Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, + FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) + are disallowed. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.capabilities) || + !has(container.securityContext.capabilities.add) || + container.securityContext.capabilities.add.all(capability, + ['AUDIT_WRITE','CHOWN','DAC_OVERRIDE','FOWNER','FSETID','KILL','MKNOD','NET_BIND_SERVICE','SETFCAP','SETGID','SETPCAP','SETUID','SYS_CHROOT'].exists(secureCapability, secureCapability == capability))) message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..728930b26 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml index efad5c669..b0a048c35 100755 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-host-namespaces spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-host-namespaces.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-namespaces - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-namespaces.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 76850d7f6..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - hostPID: true - hostIPC: false - hostNetwork: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - hostIPC: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - hostNetwork: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04-new -spec: - hostPID: false - hostIPC: true - hostNetwork: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - hostPID: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - hostIPC: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - hostPID: true - hostIPC: true - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml deleted file mode 100644 index c6471fc77..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,110 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - hostPID: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - hostIPC: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - hostNetwork: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05-new -spec: - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - hostPID: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - hostIPC: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - hostNetwork: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 61fd6af18..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,186 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: false - hostIPC: true - hostNetwork: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - hostPID: true - hostIPC: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostIPC: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: true - hostIPC: true - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostIPC: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: true - hostIPC: true - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 07581653c..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,218 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - hostPID: false - hostIPC: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostIPC: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostIPC: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 8e1525f8e..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-namespaces -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/kyverno-test.yaml index 4e6facf71..a8c7c4b39 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-host-namespaces.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-host-namespaces/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-host-namespaces diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/resource.yaml deleted file mode 100644 index 039ab8b27..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/.kyverno-test/resource.yaml +++ /dev/null @@ -1,420 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - hostPID: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - hostIPC: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - hostPID: true - hostIPC: true - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - hostPID: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - hostIPC: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - hostNetwork: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostIPC: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: true - hostIPC: true - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostIPC: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostIPC: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: true - hostIPC: true - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostIPC: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostPID: false - hostIPC: false - hostNetwork: false - containers: - - name: container01 - image: dummyimagename diff --git a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml index ede51bb0e..f529ee080 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -17,7 +17,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" - kyverno/kubernetesVersion: "1.26-1.27" + kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 52a739e283afddd9c023a5d0b0d8822008a2923f7c0b5544a43cb76540c2c1f9 -createdAt: "2024-08-21T00:22:34Z" +digest: 82a3924f4d25ed9bfc8e49395c7b0e8922f5ad0573830747dd3cf96dfb93ad7a +createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml index 2fafe9e33..99f7f13d4 100644 --- a/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml +++ b/pod-security-cel/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -24,16 +24,13 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: - expression: >- - ( object.spec.?hostNetwork.orValue(false) == false) && - ( object.spec.?hostIPC.orValue(false) == false) && - ( object.spec.?hostPID.orValue(false) == false) + (!has(object.spec.hostNetwork) || object.spec.hostNetwork == false) && + (!has(object.spec.hostIPC) || object.spec.hostIPC == false) && + (!has(object.spec.hostPID) || object.spec.hostPID == false) message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..5bc41e9b1 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml index f23c82367..9ec93936f 100755 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-host-path spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-host-path.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-path - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-path.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index ada442cc5..000000000 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: bar - hostPath: - path: /etc/junk ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: foo - hostPath: - path: /home/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: foo - hostPath: - path: /home/junk ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} - - name: udev - hostPath: - path: /etc/udev ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 76c5baa0c..000000000 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - sizeLimit: 100Mi - - name: empty-again - emptyDir: - sizeLimit: 20Mi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index ab34a002a..000000000 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,154 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: bar - hostPath: - path: /etc/junk ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: bar - hostPath: - path: /etc/junk - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - restartPolicy: OnFailure ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} - - name: udev - hostPath: - path: /etc/udev ---- diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index e57aa7df5..000000000 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - strategy: {} - template: - metadata: - labels: - app: busybox - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "* * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - volumes: - - name: empty - emptyDir: - medium: memory - sizeLimit: 20Mi - - name: config-vol - configMap: - name: foo - items: - - key: foo - path: bar - restartPolicy: OnFailure ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 2093a5bc4..000000000 --- a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-path -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-host-path/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-path/.kyverno-test/kyverno-test.yaml index b91fdc650..b0d463ba2 100644 --- a/pod-security-cel/baseline/disallow-host-path/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-host-path/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-host-path.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-host-path/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-host-path diff --git a/pod-security-cel/baseline/disallow-host-path/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-host-path/.kyverno-test/resource.yaml deleted file mode 100644 index b7d0f4208..000000000 --- a/pod-security-cel/baseline/disallow-host-path/.kyverno-test/resource.yaml +++ /dev/null @@ -1,246 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} - - name: udev - hostPath: - path: /etc/udev ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} - - name: udev - hostPath: - path: /etc/udev ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - hostPath: - path: /etc/udev ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} - - name: udev - hostPath: - path: /etc/udev ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: temp - mountPath: /scratch - volumes: - - name: temp - emptyDir: {} diff --git a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml index 88c0ff710..d03566289 100644 --- a/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-path/artifacthub-pkg.yml @@ -17,7 +17,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Pod Security Standards (Baseline)" - kyverno/kubernetesVersion: "1.26-1.27" + kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod,Volume" -digest: e03e92172513193882011b17c9bf4d66af1637a280c0cd6d696db580eea06558 -createdAt: "2024-08-21T00:22:34Z" +digest: 8f309db940eca3692840c78e2662ff0c25fa718cf0f468b58cdfd4c3d1011274 +createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml index faa358038..c9a2796c5 100644 --- a/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml +++ b/pod-security-cel/baseline/disallow-host-path/disallow-host-path.yaml @@ -23,11 +23,8 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: - - expression: "object.spec.?volumes.orValue([]).all(volume, size(volume) == 0 || !has(volume.hostPath))" + - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..f4e6012b3 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports-range +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml index 172a4e811..f07516b9d 100755 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-host-ports-range spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-host-ports-range.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-ports-range - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-ports-range.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index ab8ca032b..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,244 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 1234 - hostPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8099 - - hostPort: 8090 - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - hostPort: 8090 - - containerPort: 8099 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - hostPort: 8090 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 00ce9cfd7..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,228 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 5431 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - - containerPort: 8088 - hostPort: 6000 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 5000 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod11 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 0 - protocol: TCP \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 762a7bffc..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,581 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 - hostPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 78e52435e..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,531 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 5432 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 9808 - hostPort: 6000 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 0 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 68c1e2e62..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-ports-range -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/kyverno-test.yaml index c1534ce87..44bd3ad37 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-host-ports-range.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-host-ports-range/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-host-ports-range diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/resource.yaml deleted file mode 100644 index 86cf5e8ff..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1390 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod11 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 0 - protocol: TCP ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 0 - protocol: TCP ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 5555 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - hostPort: 5555 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - hostPort: 0 - protocol: TCP ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml index e37b39072..63bfb047b 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-ports-range/artifacthub-pkg.yml @@ -17,7 +17,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" - kyverno/kubernetesVersion: "1.26-1.27" + kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 98649f33f27275eee56ff1e6366816e81f7adc044f36ffa72a371d2ab8d488ad -createdAt: "2024-08-21T00:22:34Z" +digest: 9ea35edfd0be8b253db73ce38ff124d191df9e34f90b01c70125add602a05ff3 +createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml index 211fc502a..02910d760 100644 --- a/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml +++ b/pod-security-cel/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml @@ -24,22 +24,25 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainers - expression: >- - object.spec.containers + - object.spec.?initContainers.orValue([]) + - object.spec.?ephemeralContainers.orValue([]) expressions: - expression: >- - variables.allContainers.all(container, - container.?ports.orValue([]).all(port, - size(port) == 0 || - !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000) )) + object.spec.containers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + message: >- + The only permitted hostPorts are in the range 5000-6000. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) + message: >- + The only permitted hostPorts are in the range 5000-6000. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000))) message: >- The only permitted hostPorts are in the range 5000-6000. diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..7630931c6 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-ports +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml index 31558d00d..f9d365042 100755 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-host-ports spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-host-ports.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-ports - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-ports.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index d954d8705..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,244 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - hostPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8099 - - hostPort: 8090 - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - hostPort: 8090 - - containerPort: 8099 - hostPort: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - hostPort: 8090 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml deleted file mode 100644 index bd28f17d9..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,208 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - - containerPort: 8088 - hostPort: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index eca7e8b75..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,581 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 - hostPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 97c5643aa..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,494 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8090 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8088 - hostPort: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: init - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 9808 - hostPort: 0 - containers: - - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - ports: - - name: web-insecure - containerPort: 8080 diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 46cf00260..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-ports -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/kyverno-test.yaml index 25ea8232a..ec292ca5c 100644 --- a/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-host-ports.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-host-ports/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-host-ports diff --git a/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/resource.yaml deleted file mode 100644 index e4f10d802..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1311 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-secure - containerPort: 4443 - hostPort: 443 - - name: container02 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - protocol: UDP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web - containerPort: 4443 - hostPort: 443 - - name: initcontainer02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - containers: - - name: container01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: dns - containerPort: 5553 - hostPort: 53 - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - - name: container02 - image: dummyimagename - ports: - - name: admin - containerPort: 8000 - protocol: TCP ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 - containers: - - name: container01 - image: dummyimagename - ports: - - name: web-insecure - containerPort: 8080 diff --git a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml index 619a073ff..4542c8425 100644 --- a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml @@ -17,7 +17,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" - kyverno/kubernetesVersion: "1.26-1.27" + kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: b95cfe16e11be0b9507736687bd99b5ea78c455f8fc35194220326ea5ff3913c +digest: e5c3baa87ccb5cbbaeb6594e12e4781c8fca0d72a5a513b2a6f8efc80e00b200 createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml index b7603ecfb..cd4e0fd47 100644 --- a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml @@ -23,9 +23,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..ddce453da --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml index e5c9e4bac..7efb9328b 100755 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-host-process spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-host-process.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-process - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-process.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index e5ebd1526..000000000 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,144 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 9a14517e9..000000000 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,143 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 2b9838389..000000000 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,326 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: true ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 24add416f..000000000 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,320 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - windowsOptions: - hostProcess: false diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 24ff7dd20..000000000 --- a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-host-process -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-host-process/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-host-process/.kyverno-test/kyverno-test.yaml index 47164b2ab..b52cf2243 100644 --- a/pod-security-cel/baseline/disallow-host-process/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-host-process/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-host-process.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-host-process/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-host-process diff --git a/pod-security-cel/baseline/disallow-host-process/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-host-process/.kyverno-test/resource.yaml deleted file mode 100644 index 8b8ab18fe..000000000 --- a/pod-security-cel/baseline/disallow-host-process/.kyverno-test/resource.yaml +++ /dev/null @@ -1,729 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: container02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: container02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: container02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: true ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - hostNetwork: true - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: container01 - image: dummyimagename - securityContext: - windowsOptions: - hostProcess: false diff --git a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml index e8d224546..29696dcf3 100644 --- a/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-process/artifacthub-pkg.yml @@ -17,7 +17,7 @@ readme: | Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" - kyverno/kubernetesVersion: "1.26-1.27" + kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 37386d4c35fe393c0957f0e52ddf818b38d31cb5440e3bcc155161b1f79e47c4 -createdAt: "2024-08-27T00:22:34Z" +digest: 33a4b3765e2a54711df4379c41babb8b92f748d784bc79df049fb4fd225633a1 +createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml index da74ffd67..03b389530 100644 --- a/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml +++ b/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml @@ -24,20 +24,34 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - variables.allContainers.all(container, - container.?securityContext.?windowsOptions.?hostProcess.orValue(false) == false) + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.windowsOptions) || + !has(container.securityContext.windowsOptions.hostProcess) || + container.securityContext.windowsOptions.hostProcess == false) message: >- - HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess, - spec.initContainers[*].securityContext.windowsOptions.hostProcess, and - spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess - must either be undefined or set to `false`. + HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess + must either be undefined or set to `false`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.windowsOptions) || + !has(container.securityContext.windowsOptions.hostProcess) || + container.securityContext.windowsOptions.hostProcess == false) + message: >- + HostProcess containers are disallowed. The field spec.initContainers[*].securityContext.windowsOptions.hostProcess + must either be undefined or set to `false`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.windowsOptions) || + !has(container.securityContext.windowsOptions.hostProcess) || + container.securityContext.windowsOptions.hostProcess == false) + message: >- + HostProcess containers are disallowed. The field spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess + must either be undefined or set to `false`. diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..cc13a32d2 --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privileged-containers +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml index c3e53ad5d..bc555d7bf 100755 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-privileged-containers spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-privileged-containers.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-privileged-containers - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privileged-containers.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 91bb7660f..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,131 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 85d1e5a64..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,130 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index c53985938..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,270 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: true ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index eb3103ad1..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,294 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - privileged: false diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index deead22e1..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-privileged-containers -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/kyverno-test.yaml index 6ba1b9283..3203b14b1 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-privileged-containers.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-privileged-containers/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-privileged-containers diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/resource.yaml deleted file mode 100644 index 36f452ddd..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/.kyverno-test/resource.yaml +++ /dev/null @@ -1,618 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - privileged: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: true ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - privileged: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: false - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: false ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - privileged: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: true ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - privileged: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: false - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: false ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - privileged: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: true - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: true ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - privileged: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - privileged: false - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - privileged: false - containers: - - name: container01 - image: dummyimagename - securityContext: - privileged: false diff --git a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml index 346873cc6..dba8a989f 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-privileged-containers/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 87d401d722951d3382e4848ee597448ad3a3504749000a57ba89f7a3acd17ba7 -createdAt: "2024-08-21T00:22:34Z" +digest: 92aefb85dcf369f46733d0f04d289deddee34eb5d0b46860b41de9f9eeed2805 +createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml index 5046692e4..e83abf748 100644 --- a/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml +++ b/pod-security-cel/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml @@ -23,14 +23,31 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: "variables.allContainers.all(container, container.?securityContext.?privileged.orValue(false) == false)" - message: "Privileged mode is disallowed. All containers must set the securityContext.privileged field to `false` or unset the field." + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.privileged) || + container.securityContext.privileged == false) + message: >- + Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged + must be unset or set to `false`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.privileged) || + container.securityContext.privileged == false) + message: >- + Privileged mode is disallowed. The fields spec.initContainers[*].securityContext.privileged + must be unset or set to `false`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.privileged) || + container.securityContext.privileged == false) + message: >- + Privileged mode is disallowed. The fields spec.ephemeralContainers[*].securityContext.privileged + must be unset or set to `false`. diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 04baf8fe0..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-proc-mount -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../disallow-proc-mount.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-proc-mount - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 623c582d3..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 747d648e2..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,78 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index b719c34b3..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,220 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 83e0d5aac..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,245 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 9fafc59be..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-proc-mount -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/kyverno-test.yaml index 409c27405..09f8c605c 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-proc-mount.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-proc-mount/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-proc-mount diff --git a/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/resource.yaml deleted file mode 100644 index 6768b592b..000000000 --- a/pod-security-cel/baseline/disallow-proc-mount/.kyverno-test/resource.yaml +++ /dev/null @@ -1,618 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default diff --git a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml index 92e3f88d3..a7d794ade 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-proc-mount/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: e75db214f9179242625089686a02094d9dbf9ded059b1e71ff909aa0b582b1a5 -createdAt: "2024-08-21T00:22:33Z" +digest: 32dc701fa3d0c360f9e383d7dd149c2406a5a61d3f1f43c65dc61be6623aa904 +createdAt: "2023-12-03T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml index 6b12ea58d..8c28c4a33 100644 --- a/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml +++ b/pod-security-cel/baseline/disallow-proc-mount/disallow-proc-mount.yaml @@ -25,14 +25,31 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: "variables.allContainers.all(container, container.?securityContext.?procMount.orValue('Default') == 'Default')" - message: "Changing the proc mount from the default is not allowed." + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.procMount) || + container.securityContext.procMount == 'Default') + message: >- + Changing the proc mount from the default is not allowed. The field + spec.containers[*].securityContext.procMount must be unset or set to `Default`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.procMount) || + container.securityContext.procMount == 'Default') + message: >- + Changing the proc mount from the default is not allowed. The field + spec.initContainers[*].securityContext.procMount must be unset or set to `Default`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.procMount) || + container.securityContext.procMount == 'Default') + message: >- + Changing the proc mount from the default is not allowed. The field + spec.ephemeralContainers[*].securityContext.procMount must be unset or set to `Default`. diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..1971822e2 --- /dev/null +++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-selinux +status: + ready: true diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml index 111502ae4..7b4aebb67 100755 --- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-selinux spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-selinux.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-selinux - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-selinux.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-selinux diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index fd37b5981..000000000 --- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,470 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_engine_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - securityContext: - seLinuxOptions: - user: "1000" - role: "foo" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - securityContext: - seLinuxOptions: - type: container_engine_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_engine_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05-new -spec: - initContainers: - - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: "1000" - role: "foo" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: "1000" - role: "foo" - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod08 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod09 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod10 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: unconfined_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod11 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod12 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod13 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod14 -spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod15 -spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod16 -spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod17 -spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 286d078b7..000000000 --- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,412 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod11 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod12 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod13 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod14 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod11 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 37ef091a3..000000000 --- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,1204 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_engine_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: "1000" - role: "foo" - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_engine_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_engine_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: "1000" - role: "foo" - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: unconfined_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment16 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment17 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: unconfined_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob16 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob17 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index b3b964adb..000000000 --- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,1138 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_kvm_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index a4b562256..000000000 --- a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-selinux -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/disallow-selinux/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/disallow-selinux/.kyverno-test/kyverno-test.yaml index 0150dcb7f..6ed737cbb 100644 --- a/pod-security-cel/baseline/disallow-selinux/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/disallow-selinux/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-selinux.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/disallow-selinux/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-selinux diff --git a/pod-security-cel/baseline/disallow-selinux/.kyverno-test/resource.yaml b/pod-security-cel/baseline/disallow-selinux/.kyverno-test/resource.yaml deleted file mode 100644 index 58fa6fd77..000000000 --- a/pod-security-cel/baseline/disallow-selinux/.kyverno-test/resource.yaml +++ /dev/null @@ -1,2884 +0,0 @@ -######################## -## Rule: selinux-type ## -######################## -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod11 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod12 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod13 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod14 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: spc_t - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_kvm_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -############################# -## Rule: selinux-user-role ## -############################# -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod06 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod07 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod08 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod09 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod10 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: unconfined_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod11 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod12 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod13 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod14 -spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod15 -spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod16 -spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-badpod17 -spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: selur-goodpod11 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: unconfined_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment16 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-baddeployment17 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: selur-gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: unconfined_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob16 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: dummyimagename - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - role: sysadm_r - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-badcronjob17 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_init_t - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - user: sysadm_u - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: container02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - type: container_t - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: selur-goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seLinuxOptions: - type: container_t - - name: initcontainer02 - image: dummyimagename - securityContext: - seLinuxOptions: - level: "s0:c123,c456" - containers: - - name: container01 - image: dummyimagename diff --git a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml index 2588b4ebe..5f23ce09f 100644 --- a/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-selinux/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 03aa7b1e6017f42e75639c61a6593e1ac241ba1f158b72eaa8751c60b6c9d0f5 +digest: fc7d48f00d32dc6b04d5ffc453c2749319154ec90ba6309ce030141c6536eb87 createdAt: "2023-12-03T00:22:33Z" diff --git a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml index b78bbd4ce..901d1f86d 100644 --- a/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml +++ b/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml @@ -23,52 +23,93 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainerTypes - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" - - name: seLinuxTypes - expression: "['container_t', 'container_init_t', 'container_kvm_t']" expressions: - - expression: >- - (!has(object.spec.securityContext) || + - expression: >- + !has(object.spec.securityContext) || !has(object.spec.securityContext.seLinuxOptions) || !has(object.spec.securityContext.seLinuxOptions.type) || - variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)) && - variables.allContainerTypes.all(container, - !has(container.securityContext) || + object.spec.securityContext.seLinuxOptions.type == 'container_t' || + object.spec.securityContext.seLinuxOptions.type == 'container_init_t' || + object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t' + message: >- + Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type + must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.seLinuxOptions) || + !has(container.securityContext.seLinuxOptions.type) || + container.securityContext.seLinuxOptions.type == 'container_t' || + container.securityContext.seLinuxOptions.type == 'container_init_t' || + container.securityContext.seLinuxOptions.type == 'container_kvm_t') + message: >- + Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type + must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seLinuxOptions) || + !has(container.securityContext.seLinuxOptions.type) || + container.securityContext.seLinuxOptions.type == 'container_t' || + container.securityContext.seLinuxOptions.type == 'container_init_t' || + container.securityContext.seLinuxOptions.type == 'container_kvm_t') + message: >- + Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type + must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || !has(container.securityContext.seLinuxOptions) || !has(container.securityContext.seLinuxOptions.type) || - variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type)) + container.securityContext.seLinuxOptions.type == 'container_t' || + container.securityContext.seLinuxOptions.type == 'container_init_t' || + container.securityContext.seLinuxOptions.type == 'container_kvm_t') message: >- - Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). + Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type + must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). - name: selinux-user-role match: any: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainerTypes - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" expressions: - - expression: >- - (!has(object.spec.securityContext) || + - expression: >- + !has(object.spec.securityContext) || !has(object.spec.securityContext.seLinuxOptions) || - (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))) && - variables.allContainerTypes.all(container, - !has(container.securityContext) || + (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role)) + message: >- + Setting the SELinux user or role is forbidden. The fields + spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset. + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.seLinuxOptions) || + (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) + message: >- + Setting the SELinux user or role is forbidden. The fields + spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seLinuxOptions) || + (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) + message: >- + Setting the SELinux user or role is forbidden. The fields + spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || !has(container.securityContext.seLinuxOptions) || (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role))) message: >- - Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset. - \ No newline at end of file + Setting the SELinux user or role is forbidden. The fields + spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset. diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..92459aedf --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp +status: + ready: true diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml index 1d3da5b2a..cf4c39a3d 100755 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: restrict-seccomp spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../restrict-seccomp.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-seccomp - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 14d48792f..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,160 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-new -spec: - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml deleted file mode 100644 index e97ff3768..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,224 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod11 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 92d9b91db..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,382 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 72cafb0a1..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,548 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - initContainers: - - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: profiles/audit.json - - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 03da26034..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-seccomp -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/kyverno-test.yaml index 06ecb16c6..7717a0c8d 100644 --- a/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../restrict-seccomp.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/restrict-seccomp/.kyverno-test/resource.yaml results: - kind: CronJob policy: restrict-seccomp diff --git a/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/resource.yaml b/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/resource.yaml deleted file mode 100644 index 977189198..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1078 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod11 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename ---- diff --git a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml index 33895bece..e90895082 100644 --- a/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-seccomp/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: c239371f4dd418e2410b05bbf0893d81255e0ac06fa62e169e71506123d88cf5 -createdAt: "2024-08-21T00:22:34Z" +digest: d21b5941cd9dabf326d60c8b6f8ca2fbfbd0ab3358d47e87f6a0d16419cf4213 +createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml index 4e74a34f6..2cbde252b 100644 --- a/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml +++ b/pod-security-cel/baseline/restrict-seccomp/restrict-seccomp.yaml @@ -24,23 +24,47 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allContainers - expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))" - - name: allowedProfileTypes - expression: "['RuntimeDefault', 'Localhost']" expressions: - expression: >- - (object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') - in variables.allowedProfileTypes) && - (variables.allContainers.all(container, - container.?securityContext.?seccompProfile.?type.orValue('Localhost') - in variables.allowedProfileTypes)) + !has(object.spec.securityContext) || + !has(object.spec.securityContext.seccompProfile) || + !has(object.spec.securityContext.seccompProfile.type) || + object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || + object.spec.securityContext.seccompProfile.type == 'Localhost' + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. + + - expression: >- + object.spec.containers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') message: >- Use of custom Seccomp profiles is disallowed. The field spec.containers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. + + - expression: >- + !has(object.spec.initContainers) || + object.spec.initContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.initContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. + + - expression: >- + !has(object.spec.ephemeralContainers) || + object.spec.ephemeralContainers.all(container, !has(container.securityContext) || + !has(container.securityContext.seccompProfile) || + !has(container.securityContext.seccompProfile.type) || + container.securityContext.seccompProfile.type == 'RuntimeDefault' || + container.securityContext.seccompProfile.type == 'Localhost') + message: >- + Use of custom Seccomp profiles is disallowed. The field + spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..a7afea7ef --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-sysctls +status: + ready: true diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml index b71ac1a59..43c5a44da 100755 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: restrict-sysctls spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../restrict-sysctls.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-sysctls - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-sysctls.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index e850d943b..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,87 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.foo_bar - value: "5000-6000" - - name: net.ipv4.ip_unprivileged_port_start - value: "60000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - securityContext: - sysctls: - - name: net.core.somaxconn - value: "1000-2000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - securityContext: - sysctls: - - name: net.ipv4.foo_bar - value: "5000-6000" - - name: kernel.shm_rmid_forced - value: "0" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.foo_bar - value: "5000-6000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-new -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-new -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - - name: kernel.shm_next_id - value: "4" \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 389f1f79a..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,128 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-new -spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.ip_local_port_range - value: "5000-6000" - - name: net.ipv4.ip_unprivileged_port_start - value: "60000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-new -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03-new -spec: - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1000-2000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "31000 60999" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.tcp_syncookies - value: "0" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" - - name: net.ipv4.ping_group_range - value: "1 0" ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 587c2affb..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.foo_bar - value: "5000-6000" - - name: net.ipv4.ip_unprivileged_port_start - value: "60000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.ip_unprivileged_port_start - value: "60000" - - name: net.ipv4.foo_bar - value: "5000-6000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - - name: kernel.shm_next_id - value: "4" ---- \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 5280d7259..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,331 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01-new -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.ip_local_port_range - value: "5000-6000" - - name: net.ipv4.ip_unprivileged_port_start - value: "60000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01-new -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: Never - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "0" - - name: net.ipv4.ip_local_port_range - value: "5000-6000" - - name: net.ipv4.ip_unprivileged_port_start - value: "60000" - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "31000 60999" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.tcp_syncookies - value: "0" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "31000 60999" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.tcp_syncookies - value: "0" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" - - name: net.ipv4.ping_group_range - value: "1 0" diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index cc9ad507f..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-sysctls -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/kyverno-test.yaml b/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/kyverno-test.yaml index 4dbe06fe4..b1b0b1128 100644 --- a/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../restrict-sysctls.yaml resources: -- resource.yaml +- ../../../../pod-security/baseline/restrict-sysctls/.kyverno-test/resource.yaml results: - kind: CronJob policy: restrict-sysctls diff --git a/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/resource.yaml b/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/resource.yaml deleted file mode 100644 index ba9f2894d..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/.kyverno-test/resource.yaml +++ /dev/null @@ -1,492 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - - name: kernel.shm_next_id - value: "4" -###### Pods - Good ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "31000 60999" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.tcp_syncookies - value: "0" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" - - name: net.ipv4.ping_group_range - value: "1 0" ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - - name: kernel.shm_next_id - value: "4" ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "31000 60999" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.tcp_syncookies - value: "0" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" - - name: net.ipv4.ping_group_range - value: "1 0" ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_next_id - value: "4" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" - - name: kernel.shm_next_id - value: "4" ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: kernel.shm_rmid_forced - value: "2" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_local_port_range - value: "31000 60999" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.tcp_syncookies - value: "0" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "1 0" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "2048" - - name: net.ipv4.ping_group_range - value: "1 0" diff --git a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml index 98cfe547e..40023883c 100644 --- a/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/restrict-sysctls/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 451731aeba70f3c37f7a58cc1ba47b7fed8ffc8971e4a664c81406004f93b61c -createdAt: "2024-08-21T00:22:33Z" +digest: d2559783b696ce27a5b0684fd65a37cb9cef2e62c6ee39138de27283c5adbeb6 +createdAt: "2023-12-03T00:22:33Z" diff --git a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml index 294685d36..91cacc773 100644 --- a/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml +++ b/pod-security-cel/baseline/restrict-sysctls/restrict-sysctls.yaml @@ -27,18 +27,18 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: - variables: - - name: allowedSysctls - expression: "['kernel.shm_rmid_forced','net.ipv4.ip_local_port_range','net.ipv4.ip_unprivileged_port_start','net.ipv4.tcp_syncookies','net.ipv4.ping_group_range']" expressions: - expression: >- - object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, sysctl == '' || - has(sysctl.name) && sysctl.name in variables.allowedSysctls) + !has(object.spec.securityContext) || + !has(object.spec.securityContext.sysctls) || + object.spec.securityContext.sysctls.all(sysctl, !has(sysctl.name) || + sysctl.name == 'kernel.shm_rmid_forced' || + sysctl.name == 'net.ipv4.ip_local_port_range' || + sysctl.name == 'net.ipv4.ip_unprivileged_port_start' || + sysctl.name == 'net.ipv4.tcp_syncookies' || + sysctl.name == 'net.ipv4.ping_group_range') message: >- Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml index 369c57496..dd8858258 100755 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-capabilities-strict spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-capabilities-strict.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-capabilities-strict - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index a52dfab66..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,402 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 70eb6daf5..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,298 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index f3d52b08b..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,1104 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 1968566d9..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,799 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - NET_RAW - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - drop: - - ALL ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 02a811690..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-capabilities-strict -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml index fece5915d..b3dbb1463 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-capabilities-strict.yaml resources: -- resource.yaml +- ../../../../pod-security/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-capabilities-strict diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml deleted file mode 100644 index f48a5adab..000000000 --- a/pod-security-cel/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml +++ /dev/null @@ -1,2384 +0,0 @@ -############################ -## Rule: require-drop-all ## -############################ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - - name: container02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - NET_RAW - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - drop: - - ALL ---- -###################################### -## Rule: adding-capabilities-strict ## -###################################### -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: addcap-gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: addcap-goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index 522932ea4..d53a4eece 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 45c37cb004764c8fa03d95a018511660b1a6dc5b57752bfa8400384bf5c5037e +digest: 3ba20799de8e2ff846fc1e064fac7b3e0cf318f2d127161bf9e9f90d76aff4da createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index 843e3ee55..cfe5d55fd 100644 --- a/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security-cel/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -23,9 +23,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: message: >- Containers must drop `ALL` capabilities. @@ -56,9 +53,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml index 4298a819d..5edf3d4b2 100755 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: disallow-privilege-escalation spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../disallow-privilege-escalation.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-privilege-escalation - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index e3c44d598..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml deleted file mode 100644 index e184edd4f..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index d6bd83a50..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,250 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 1e3709b54..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,246 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b8dc40c39..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-privilege-escalation -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml index d978218b6..30359768e 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../disallow-privilege-escalation.yaml resources: -- resource.yaml +- ../../../../pod-security/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml results: - kind: CronJob policy: disallow-privilege-escalation diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml deleted file mode 100644 index 007552d1c..000000000 --- a/pod-security-cel/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml +++ /dev/null @@ -1,669 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: true - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: initcontainer02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false - - name: container02 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 2985acbe3..d1d87148f 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 6c249b689ee08cc1edcbacf7a00a35cab98d5b1b2bf3fc7ebd8a0dd1e27bb2c1 +digest: a656fbec861a5420caab9ad15abf28edf45b47c6d749c3d3943223dfb4d37d7a createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index 5fc1229ae..cde75c193 100644 --- a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -23,9 +23,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml index 181d9a737..648a10d62 100755 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml @@ -1,40 +1,37 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: require-run-as-non-root-user spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - - apply: - file: ../require-run-as-non-root-user.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-run-as-non-root-user - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 4cdcafbbd..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,79 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 66421b648..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,132 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 2 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 2 - securityContext: - runAsUser: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 75459b442..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,248 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 083e569d7..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,413 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 2 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 2 - securityContext: - runAsUser: 10 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 2 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 2 - securityContext: - runAsUser: 10 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 6a5138508..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-non-root-user -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml index 15403c6cf..b980f7da0 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../require-run-as-non-root-user.yaml resources: -- resource.yaml +- ../../../../pod-security/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml results: - kind: CronJob policy: require-run-as-non-root-user diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml deleted file mode 100644 index ce58875df..000000000 --- a/pod-security-cel/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml +++ /dev/null @@ -1,879 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 2 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 2 - securityContext: - runAsUser: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 2 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 2 - securityContext: - runAsUser: 10 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 0 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsUser: 0 - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 2 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 - - name: container02 - image: dummyimagename - securityContext: - runAsUser: 2 - securityContext: - runAsUser: 10 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsUser: 1 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsUser: 1 - containers: - - name: container01 - image: dummyimagename diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index dcc49bd50..1e97e8811 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 9351f7b7a1218dfad02538d36423edd15d7b567cc014833e701d0b1e771f1db1 +digest: 4325ec1161eb1a2eb361eaed9618b7fe4605bfa621361064a43b4f056f03da8a createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index 0bd042b0f..96e3e2ca7 100644 --- a/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security-cel/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -23,9 +23,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index de6e6ad77..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-run-as-nonroot -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../require-run-as-nonroot.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-run-as-nonroot - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index dc7e2e6d4..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,224 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod11 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod12 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod13 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod14 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod15 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod16 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 20d08d820..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,147 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 64dcc37c2..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,651 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: false ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 2320e7563..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,443 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - runAsNonRoot: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index ce7c2fd4e..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-nonroot -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index d131de29b..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,115 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-run-as-nonroot -policies: -- ../require-run-as-nonroot.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - - badcronjob04 - - badcronjob05 - - badcronjob06 - - badcronjob07 - - badcronjob08 - - badcronjob09 - - badcronjob10 - - badcronjob11 - - badcronjob12 - - badcronjob13 - - badcronjob14 - - badcronjob15 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - baddeployment01 - - baddeployment02 - - baddeployment03 - - baddeployment04 - - baddeployment05 - - baddeployment06 - - baddeployment07 - - baddeployment08 - - baddeployment09 - - baddeployment10 - - baddeployment11 - - baddeployment12 - - baddeployment13 - - baddeployment14 - - baddeployment15 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - - badpod06 - - badpod07 - - badpod08 - - badpod09 - - badpod10 - - badpod11 - - badpod12 - - badpod13 - - badpod14 - - badpod15 - - badpod16 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - goodcronjob01 - - goodcronjob02 - - goodcronjob03 - - goodcronjob04 - - goodcronjob05 - - goodcronjob06 - - goodcronjob07 - - goodcronjob08 - - goodcronjob09 - - goodcronjob10 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment01 - - gooddeployment02 - - gooddeployment03 - - gooddeployment04 - - gooddeployment05 - - gooddeployment06 - - gooddeployment07 - - gooddeployment08 - - gooddeployment09 - - gooddeployment10 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - - goodpod05 - - goodpod06 - - goodpod07 - - goodpod08 - - goodpod09 - - goodpod10 - result: pass - rule: run-as-non-root diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml deleted file mode 100644 index 7589a7914..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1472 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod11 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod12 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod13 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod14 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod15 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod16 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: false ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: false - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: false ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsNonRoot: false - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: false ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - runAsNonRoot: true - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - runAsNonRoot: true - - name: initcontainer02 - image: dummyimagename - securityContext: - runAsNonRoot: true - containers: - - name: container01 - image: dummyimagename - securityContext: - runAsNonRoot: true diff --git a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml deleted file mode 100644 index 2b56451d3..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: require-run-as-nonroot-cel -version: 1.0.0 -displayName: Require runAsNonRoot in CEL expressions -description: >- - Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml - ``` -keywords: - - kyverno - - Pod Security Standards (Restricted) - - CEL Expressions -readme: | - Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Pod Security Standards (Restricted)" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 91161d7046bc3d1900363fa4f44ab06c5be6aad62f6194f6635d5a7585c0dec7 -createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml deleted file mode 100644 index 268fd2340..000000000 --- a/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-nonroot - annotations: - policies.kyverno.io/title: Require runAsNonRoot in CEL - policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Containers must be required to run as non-root. This policy ensures - `runAsNonRoot` is set to true. -spec: - validationFailureAction: Audit - background: true - rules: - - name: run-as-non-root - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - ( - ( - has(object.spec.securityContext) && - has(object.spec.securityContext.runAsNonRoot) && - object.spec.securityContext.runAsNonRoot == true - ) && ( - ( - object.spec.containers + - (has(object.spec.initContainers) ? object.spec.initContainers : []) + - (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []) - ).all(container, - !has(container.securityContext) || - !has(container.securityContext.runAsNonRoot) || - container.securityContext.runAsNonRoot == true) - ) - ) || ( - ( - object.spec.containers + - (has(object.spec.initContainers) ? object.spec.initContainers : []) + - (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []) - ).all(container, - has(container.securityContext) && - has(container.securityContext.runAsNonRoot) && - container.securityContext.runAsNonRoot == true) - ) - message: >- - Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot or all of - spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot and - spec.ephemeralContainers[*].securityContext.runAsNonRoot, must be set to true. - diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml new file mode 100755 index 000000000..e252df8e3 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl create -f - + - assert: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 54a934167..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-seccomp-strict -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../restrict-seccomp-strict.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-seccomp-strict - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index f9a801b7c..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml deleted file mode 100644 index d35109aeb..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - localhostProfile: operator/default/profile1.json - type: Localhost ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index e11928730..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,319 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index cfac47fb3..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,484 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - seccompProfile: - type: RuntimeDefault ---- diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index cdb6f45bc..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-seccomp-strict -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml new file mode 100644 index 000000000..51ae4a602 --- /dev/null +++ b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test.yaml/kyverno-test.yaml @@ -0,0 +1,90 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict +policies: +- ../restrict-seccomp-strict.yaml +resources: +- ../../../../pod-security/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml +results: +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + result: fail + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + result: fail + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + result: fail + rule: check-seccomp-strict +- kind: CronJob + policy: restrict-seccomp-strict + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + result: pass + rule: check-seccomp-strict +- kind: Deployment + policy: restrict-seccomp-strict + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + result: pass + rule: check-seccomp-strict +- kind: Pod + policy: restrict-seccomp-strict + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + result: pass + rule: check-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index a2ac6d6d3..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,90 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-seccomp-strict -policies: -- ../restrict-seccomp-strict.yaml -resources: -- resource.yaml -results: -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob01 - - badcronjob02 - - badcronjob03 - - badcronjob04 - - badcronjob05 - - badcronjob06 - - badcronjob07 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - baddeployment01 - - baddeployment02 - - baddeployment03 - - baddeployment04 - - baddeployment05 - - baddeployment06 - - baddeployment07 - result: fail - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - - badpod06 - - badpod07 - result: fail - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - goodcronjob01 - - goodcronjob02 - - goodcronjob03 - - goodcronjob04 - - goodcronjob05 - - goodcronjob06 - - goodcronjob07 - - goodcronjob08 - - goodcronjob09 - - goodcronjob10 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment01 - - gooddeployment02 - - gooddeployment03 - - gooddeployment04 - - gooddeployment05 - - gooddeployment06 - - gooddeployment07 - - gooddeployment08 - - gooddeployment09 - - gooddeployment10 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - - goodpod05 - - goodpod06 - - goodpod07 - - goodpod08 - - goodpod09 - - goodpod10 - result: pass - rule: check-seccomp-strict diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml deleted file mode 100644 index 238a5f9f2..000000000 --- a/pod-security-cel/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1084 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - localhostProfile: operator/default/profile1.json - type: Localhost ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: container01 - image: dummyimagename ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - - name: container02 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - seccompProfile: - type: Localhost - localhostProfile: operator/default/profile1.json - - name: initcontainer02 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: container01 - image: dummyimagename - securityContext: - seccompProfile: - type: RuntimeDefault ---- diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index 3bfeea190..527f9037a 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: d31a60d3f693829fa8a17272e9f0e4d7cbbe2773a7e1a282bfc426dbe2e17e9e +digest: 4deffb0a892939288dabf65e9af18732036a464ae3611028a96ae02215140e77 createdAt: "2023-12-04T09:04:49Z" diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index b1c75662f..ed58c9641 100644 --- a/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -26,9 +26,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml index 8c6194e7f..b23319825 100755 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -1,48 +1,49 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null name: restrict-volume-types spec: - # disable templating because it can cause issues with CEL expressions - template: false steps: - name: step-01 try: - apply: - file: ../restrict-volume-types.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-volume-types - spec: - validationFailureAction: Enforce + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl create -f - - assert: - file: policy-ready.yaml + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml - name: step-02 try: - apply: - file: pod-good.yaml + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml - apply: expect: - check: ($error != null): true - file: pod-bad.yaml + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml - apply: - file: podcontroller-good.yaml + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml - apply: expect: - check: ($error != null): true - file: podcontroller-bad.yaml + file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml - name: step-99 try: - - script: - env: - - name: NAMESPACE - value: $namespace - content: kubectl delete all --all --force --grace-period=0 -n $NAMESPACE - + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - restrict-voltypes-ns + entrypoint: kubectl diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index a7a90ba35..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,339 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gcePersistentDisk: - pdName: gke-pv - fsType: ext4 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - awsElasticBlockStore: - volumeID: vol-f37a03aa - fsType: ext4 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gitRepo: - repository: https://github.com/kyverno/kyverno ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - nfs: - path: /data - server: 10.105.68.50 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - iscsi: - lun: 0 - iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 - targetPortal: 10.105.68.50:3260 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - glusterfs: - endpoints: test - path: /data ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - rbd: - image: foo - monitors: - - foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flexVolume: - driver: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cinder: - volumeID: my-vol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cephfs: - monitors: - - foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod11 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flocker: - datasetName: fooset ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod12 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - fc: - wwids: - - fooid.corp ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod13 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureFile: - secretName: foosecret - shareName: fooshare ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod14 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - vsphereVolume: - volumePath: /foo/disk.vmdk ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod15 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - quobyte: - registry: 10.80.90.100:1111 - volume: foovol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod16 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureDisk: - kind: Managed - diskName: foodisk - diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod17 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - portworxVolume: - volumeID: myportvol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod18 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - scaleIO: - gateway: https://localhost:443/api - system: scaleio - volumeName: vol-0 - secretRef: - name: sio-secret - fsType: xfs ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod19 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - storageos: - volumeName: foovol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod20 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - photonPersistentDisk: - pdID: fooid.corp ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 7446083e8..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,157 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: mysettings - mountPath: /settings - volumes: - - name: mysettings - configMap: - name: settings ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: warehouse - mountPath: /warehouse - volumes: - - name: warehouse - csi: - driver: disk.csi.azure.com - readOnly: true - fsType: xfs ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 - labels: - foo: bar -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: labels - mountPath: /labels - volumes: - - name: labels - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: ephem - mountPath: /ephem - volumes: - - name: ephem - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: my-frontend-volume - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "scratch-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: foo - mountPath: /foo - volumes: - - name: foo - persistentVolumeClaim: - claimName: fooclaim - readOnly: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: vault-token - volumes: - - name: vault-token - projected: - sources: - - serviceAccountToken: - path: vault-token - expirationSeconds: 7200 - audience: vault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /mysecret - name: mysecret - volumes: - - name: mysecret - secret: - secretName: mysecret ---- diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index e4468a88b..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,459 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gcePersistentDisk: - pdName: gke-pv - fsType: ext4 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - awsElasticBlockStore: - volumeID: vol-f37a03aa - fsType: ext4 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gitRepo: - repository: https://github.com/kyverno/kyverno ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - nfs: - path: /data - server: 10.105.68.50 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - iscsi: - lun: 0 - iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 - targetPortal: 10.105.68.50:3260 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - glusterfs: - endpoints: test - path: /data ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - rbd: - image: foo - monitors: - - foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flexVolume: - driver: foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cinder: - volumeID: my-vol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cephfs: - monitors: - - foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flocker: - datasetName: fooset ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - fc: - wwids: - - fooid.corp ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureFile: - secretName: foosecret - shareName: fooshare ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - vsphereVolume: - volumePath: /foo/disk.vmdk ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - quobyte: - registry: 10.80.90.100:1111 - volume: foovol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob16 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureDisk: - kind: Managed - diskName: foodisk - diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob17 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - portworxVolume: - volumeID: myportvol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob18 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - scaleIO: - gateway: https://localhost:443/api - system: scaleio - volumeName: vol-0 - secretRef: - name: sio-secret - fsType: xfs ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob19 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - storageos: - volumeName: foovol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob20 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - photonPersistentDisk: - pdID: fooid.corp ---- \ No newline at end of file diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index a49214521..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,371 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - foo: bar - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: labels - mountPath: /labels - volumes: - - name: labels - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: ephem - mountPath: /ephem - volumes: - - name: ephem - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: my-frontend-volume - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "scratch-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: foo - mountPath: /foo - volumes: - - name: foo - persistentVolumeClaim: - claimName: fooclaim - readOnly: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: vault-token - volumes: - - name: vault-token - projected: - sources: - - serviceAccountToken: - path: vault-token - expirationSeconds: 7200 - audience: vault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - emptyDir: {} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: mysettings - mountPath: /settings - volumes: - - name: mysettings - configMap: - name: settings ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: warehouse - mountPath: /warehouse - volumes: - - name: warehouse - csi: - driver: disk.csi.azure.com - readOnly: true - fsType: xfs ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: labels - mountPath: /labels - volumes: - - name: labels - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: ephem - mountPath: /ephem - volumes: - - name: ephem - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: my-frontend-volume - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "scratch-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - name: foo - mountPath: /foo - volumes: - - name: foo - persistentVolumeClaim: - claimName: fooclaim - readOnly: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: vault-token - volumes: - - name: vault-token - projected: - sources: - - serviceAccountToken: - path: vault-token - expirationSeconds: 7200 - audience: vault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - volumeMounts: - - mountPath: /mysecret - name: mysecret - volumes: - - name: mysecret - secret: - secretName: mysecret diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 9ced74a13..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-volume-types -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml index 887f2c0a6..1cd4e46fd 100644 --- a/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/kyverno-test.yaml @@ -5,7 +5,7 @@ metadata: policies: - ../restrict-volume-types.yaml resources: -- resource.yaml +- ../../../../pod-security/restricted/restrict-volume-types/.kyverno-test/resource.yaml results: - kind: CronJob policy: restrict-volume-types diff --git a/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/resource.yaml b/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/resource.yaml deleted file mode 100644 index 2d65aca0d..000000000 --- a/pod-security-cel/restricted/restrict-volume-types/.kyverno-test/resource.yaml +++ /dev/null @@ -1,1929 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gcePersistentDisk: - pdName: gke-pv - fsType: ext4 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - awsElasticBlockStore: - volumeID: vol-f37a03aa - fsType: ext4 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gitRepo: - repository: https://github.com/kyverno/kyverno ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - nfs: - path: /data - server: 10.105.68.50 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - iscsi: - lun: 0 - iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 - targetPortal: 10.105.68.50:3260 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod06 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - glusterfs: - endpoints: test - path: /data ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod07 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - rbd: - image: foo - monitors: - - foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod08 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flexVolume: - driver: foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod09 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cinder: - volumeID: my-vol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod10 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cephfs: - monitors: - - foo ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod11 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flocker: - datasetName: fooset ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod12 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - fc: - wwids: - - fooid.corp ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod13 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureFile: - secretName: foosecret - shareName: fooshare ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod14 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - vsphereVolume: - volumePath: /foo/disk.vmdk ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod15 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - quobyte: - registry: 10.80.90.100:1111 - volume: foovol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod16 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureDisk: - kind: Managed - diskName: foodisk - diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod17 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - portworxVolume: - volumeID: myportvol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod18 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - scaleIO: - gateway: https://localhost:443/api - system: scaleio - volumeName: vol-0 - secretRef: - name: sio-secret - fsType: xfs ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod19 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - storageos: - volumeName: foovol ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod20 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - photonPersistentDisk: - pdID: fooid.corp ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - emptyDir: {} ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: mysettings - mountPath: /settings - volumes: - - name: mysettings - configMap: - name: settings ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: warehouse - mountPath: /warehouse - volumes: - - name: warehouse - csi: - driver: disk.csi.azure.com - readOnly: true - fsType: xfs ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 - labels: - foo: bar -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: labels - mountPath: /labels - volumes: - - name: labels - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: ephem - mountPath: /ephem - volumes: - - name: ephem - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: my-frontend-volume - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "scratch-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod07 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: foo - mountPath: /foo - volumes: - - name: foo - persistentVolumeClaim: - claimName: fooclaim - readOnly: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod08 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: vault-token - volumes: - - name: vault-token - projected: - sources: - - serviceAccountToken: - path: vault-token - expirationSeconds: 7200 - audience: vault ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod09 -spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - mountPath: /mysecret - name: mysecret - volumes: - - name: mysecret - secret: - secretName: mysecret ---- -###### Deployments - Bad -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gcePersistentDisk: - pdName: gke-pv - fsType: ext4 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - awsElasticBlockStore: - volumeID: vol-f37a03aa - fsType: ext4 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gitRepo: - repository: https://github.com/kyverno/kyverno ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - nfs: - path: /data - server: 10.105.68.50 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - iscsi: - lun: 0 - iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 - targetPortal: 10.105.68.50:3260 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - glusterfs: - endpoints: test - path: /data ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - rbd: - image: foo - monitors: - - foo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flexVolume: - driver: foo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cinder: - volumeID: my-vol ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment10 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cephfs: - monitors: - - foo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment11 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flocker: - datasetName: fooset ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment12 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - fc: - wwids: - - fooid.corp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment13 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureFile: - secretName: foosecret - shareName: fooshare ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment14 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - vsphereVolume: - volumePath: /foo/disk.vmdk ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment15 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - quobyte: - registry: 10.80.90.100:1111 - volume: foovol ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment16 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureDisk: - kind: Managed - diskName: foodisk - diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment17 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - portworxVolume: - volumeID: myportvol ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment18 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - scaleIO: - gateway: https://localhost:443/api - system: scaleio - volumeName: vol-0 - secretRef: - name: sio-secret - fsType: xfs ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment19 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - storageos: - volumeName: foovol ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment20 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - photonPersistentDisk: - pdID: fooid.corp ---- -###### Deployments - Good -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - emptyDir: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: mysettings - mountPath: /settings - volumes: - - name: mysettings - configMap: - name: settings ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: warehouse - mountPath: /warehouse - volumes: - - name: warehouse - csi: - driver: disk.csi.azure.com - readOnly: true - fsType: xfs ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - foo: bar - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: labels - mountPath: /labels - volumes: - - name: labels - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: ephem - mountPath: /ephem - volumes: - - name: ephem - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: my-frontend-volume - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "scratch-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment07 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: foo - mountPath: /foo - volumes: - - name: foo - persistentVolumeClaim: - claimName: fooclaim - readOnly: true ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment08 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: vault-token - volumes: - - name: vault-token - projected: - sources: - - serviceAccountToken: - path: vault-token - expirationSeconds: 7200 - audience: vault ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment09 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - mountPath: /mysecret - name: mysecret - volumes: - - name: mysecret - secret: - secretName: mysecret ---- -###### CronJobs - Bad -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gcePersistentDisk: - pdName: gke-pv - fsType: ext4 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - awsElasticBlockStore: - volumeID: vol-f37a03aa - fsType: ext4 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - gitRepo: - repository: https://github.com/kyverno/kyverno ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - nfs: - path: /data - server: 10.105.68.50 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - iscsi: - lun: 0 - iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 - targetPortal: 10.105.68.50:3260 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - glusterfs: - endpoints: test - path: /data ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - rbd: - image: foo - monitors: - - foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flexVolume: - driver: foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cinder: - volumeID: my-vol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob10 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - cephfs: - monitors: - - foo ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob11 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - flocker: - datasetName: fooset ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob12 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - fc: - wwids: - - fooid.corp ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob13 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureFile: - secretName: foosecret - shareName: fooshare ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob14 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - vsphereVolume: - volumePath: /foo/disk.vmdk ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob15 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - quobyte: - registry: 10.80.90.100:1111 - volume: foovol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob16 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - azureDisk: - kind: Managed - diskName: foodisk - diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob17 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - portworxVolume: - volumeID: myportvol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob18 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - scaleIO: - gateway: https://localhost:443/api - system: scaleio - volumeName: vol-0 - secretRef: - name: sio-secret - fsType: xfs ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob19 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - storageos: - volumeName: foovol ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob20 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - photonPersistentDisk: - pdID: fooid.corp ---- -###### CronJobs - Good -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: udev - mountPath: /data - volumes: - - name: udev - emptyDir: {} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: mysettings - mountPath: /settings - volumes: - - name: mysettings - configMap: - name: settings ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: warehouse - mountPath: /warehouse - volumes: - - name: warehouse - csi: - driver: disk.csi.azure.com - readOnly: true - fsType: xfs ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: labels - mountPath: /labels - volumes: - - name: labels - downwardAPI: - items: - - path: labels - fieldRef: - fieldPath: metadata.labels ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: ephem - mountPath: /ephem - volumes: - - name: ephem - ephemeral: - volumeClaimTemplate: - metadata: - labels: - type: my-frontend-volume - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: "scratch-storage-class" - resources: - requests: - storage: 1Gi ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob07 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - name: foo - mountPath: /foo - volumes: - - name: foo - persistentVolumeClaim: - claimName: fooclaim - readOnly: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob08 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: vault-token - volumes: - - name: vault-token - projected: - sources: - - serviceAccountToken: - path: vault-token - expirationSeconds: 7200 - audience: vault ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob09 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - volumeMounts: - - mountPath: /mysecret - name: mysecret - volumes: - - name: mysecret - secret: - secretName: mysecret diff --git a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml index d31a692c6..f231b9264 100644 --- a/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security-cel/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod,Volume" -digest: 0b2ded796c6a4ad41059c39be548ec980c64c2adde87119a9290d26ada5628f9 +digest: d5e29d1e422d57878e74db9bc93f8db1588c6dbb777e13a02d873952a5134d59 createdAt: "2024-01-02T15:37:55Z" diff --git a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml index 5dec2183d..7d57ec798 100644 --- a/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security-cel/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -24,9 +24,6 @@ spec: - resources: kinds: - Pod - operations: - - CREATE - - UPDATE validate: cel: expressions: diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml index ab17d56d2..5c1ca4056 100755 --- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-capabilities status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml index a1099d0fa..a6dbd6744 100755 --- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-capabilities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-capabilities - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml index bbaf3bdc0..5c7bd5f6b 100644 --- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -14,12 +14,12 @@ spec: - MKNOD containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -33,7 +33,7 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -41,7 +41,7 @@ spec: - CHOWN - MKNOD - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] @@ -49,7 +49,7 @@ spec: - "ALL" containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "CAP_NET_RAW", "FOWNER"] @@ -61,7 +61,7 @@ metadata: spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "CAP_SETPCAP", "SETFCAP", "FOWNER"] @@ -73,7 +73,7 @@ metadata: spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["CAP_NET_RAW", "CAP_SYS_ADMIN", "NET_ADMIN"] @@ -85,7 +85,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -98,7 +98,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -112,13 +112,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -131,14 +131,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -151,16 +151,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -173,14 +173,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml index d7dec96bc..a0806e7c0 100644 --- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -14,12 +14,12 @@ spec: - MKNOD containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -33,7 +33,7 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -41,7 +41,7 @@ spec: - CHOWN - MKNOD - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] @@ -49,7 +49,7 @@ spec: - "ALL" containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -61,7 +61,7 @@ metadata: spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -73,9 +73,9 @@ metadata: spec: containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -84,7 +84,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -93,7 +93,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -106,13 +106,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -125,10 +125,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -137,14 +137,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -153,14 +153,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml index 9307c1c14..fb3fca4d4 100644 --- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -23,12 +23,12 @@ spec: - MKNOD containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "CAP_NET_RAW", "SETFCAP", "FOWNER"] @@ -48,7 +48,7 @@ spec: restartPolicy: Never initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -57,12 +57,12 @@ spec: - MKNOD containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "CAP_SYS_ADMIN", "KILL", "SETGID"] - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -85,7 +85,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -107,7 +107,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -130,13 +130,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -158,14 +158,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -187,16 +187,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -218,14 +218,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -244,7 +244,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -263,7 +263,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -283,13 +283,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -308,14 +308,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -334,16 +334,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -362,14 +362,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml index eb8386d5d..431dbcfcb 100644 --- a/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -23,12 +23,12 @@ spec: - MKNOD containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -48,7 +48,7 @@ spec: restartPolicy: Never initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -57,12 +57,12 @@ spec: - MKNOD containers: - name: add-capabilities - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["SYS_CHROOT", "SETUID", "KILL", "SETGID"] - name: add-capabilities-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: ["NET_BIND_SERVICE", "SETPCAP", "SETFCAP", "FOWNER"] @@ -85,7 +85,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -103,7 +103,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -125,13 +125,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -153,10 +153,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -174,14 +174,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -199,14 +199,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -225,7 +225,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -240,7 +240,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -259,13 +259,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -284,10 +284,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -302,14 +302,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -324,14 +324,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - DAC_OVERRIDE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: diff --git a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml index 2641a75d4..29a7671e8 100644 --- a/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-capabilities/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: a5e328cbdcad170fc3ddbda39c98da9f916642bba25a058f91fe56fb98dc6457 +digest: 424f0a6b33686600c40b6658dd67ebd4eb596e0975b01120ea994168a2e065c8 diff --git a/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml index 3dd486ef4..857a4db84 100644 --- a/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- Adding capabilities beyond those listed in the policy must be disallowed. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: adding-capabilities diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8e1525f8e..728930b26 100755 --- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-namespaces status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml index 1f4701c1a..948f8f0ce 100755 --- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-host-namespaces.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-namespaces - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-namespaces.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml index 76850d7f6..7fba934b0 100644 --- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml @@ -8,7 +8,7 @@ spec: hostNetwork: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -18,9 +18,9 @@ spec: hostIPC: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -30,9 +30,9 @@ spec: hostNetwork: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -44,9 +44,9 @@ spec: hostNetwork: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -56,7 +56,7 @@ spec: hostPID: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -66,7 +66,7 @@ spec: hostIPC: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -76,7 +76,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -88,5 +88,5 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml index c6471fc77..e2cf4a39b 100644 --- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml @@ -5,9 +5,9 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -17,7 +17,7 @@ spec: hostPID: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -27,9 +27,9 @@ spec: hostIPC: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -39,9 +39,9 @@ spec: hostNetwork: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -53,9 +53,9 @@ spec: hostNetwork: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -64,7 +64,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -74,7 +74,7 @@ spec: hostPID: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -84,7 +84,7 @@ spec: hostIPC: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -94,7 +94,7 @@ spec: hostNetwork: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -106,5 +106,5 @@ spec: hostNetwork: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml index 61fd6af18..803e15585 100644 --- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml @@ -17,9 +17,9 @@ spec: hostNetwork: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,9 +36,9 @@ spec: hostIPC: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -57,7 +57,7 @@ spec: hostPID: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -76,7 +76,7 @@ spec: hostIPC: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -95,7 +95,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -116,7 +116,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -132,7 +132,7 @@ spec: hostPID: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -148,7 +148,7 @@ spec: hostIPC: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -164,7 +164,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -182,5 +182,5 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml index 07581653c..a6bd5b852 100644 --- a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml @@ -17,9 +17,9 @@ spec: hostNetwork: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,9 +36,9 @@ spec: hostIPC: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -56,7 +56,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -75,7 +75,7 @@ spec: hostPID: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -94,7 +94,7 @@ spec: hostIPC: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -113,7 +113,7 @@ spec: hostNetwork: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -134,7 +134,7 @@ spec: hostNetwork: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -149,7 +149,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -165,7 +165,7 @@ spec: hostPID: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -181,7 +181,7 @@ spec: hostIPC: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -197,7 +197,7 @@ spec: hostNetwork: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -215,4 +215,4 @@ spec: hostNetwork: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml index e905e9823..1d4ad81fb 100644 --- a/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-host-namespaces/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 59eba864baeede16f51173a304f052af1aaa6f7e2c87c53c36b4235b58aebd99 +digest: 1d351ee3d7246a2802529dab37854d12c82c5da2f925c0938316a5c1de576fec diff --git a/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml index cd501d769..27eae3a63 100644 --- a/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml +++ b/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -15,7 +15,7 @@ metadata: privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: host-namespaces diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 2093a5bc4..5bc41e9b1 100755 --- a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-path status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml index f95670913..c467859cd 100755 --- a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-host-path.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-path - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-path.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml index ada442cc5..4259a9f1a 100644 --- a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -22,7 +22,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: foo hostPath: @@ -39,7 +39,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: foo hostPath: @@ -52,7 +52,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -68,7 +68,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml index 76c5baa0c..5194f478f 100644 --- a/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -21,7 +21,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -41,7 +41,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -50,7 +50,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -59,7 +59,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: temp mountPath: /scratch diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml index ab34a002a..c7962a93e 100644 --- a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -39,7 +39,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: bar hostPath: @@ -66,7 +66,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -91,7 +91,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -117,7 +117,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -139,7 +139,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml index e57aa7df5..3e464bbbd 100644 --- a/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -42,7 +42,7 @@ spec: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumes: - name: empty emptyDir: @@ -72,7 +72,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -90,7 +90,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: temp mountPath: /scratch @@ -111,7 +111,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -126,7 +126,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: temp mountPath: /scratch diff --git a/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml index 742e8bcff..3ce9e79a5 100644 --- a/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-host-path/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod,Volume" -digest: f062fed727b0eb8f3a829d1f22e5a7d288cedc7ea7ed69c7d3b69c935b4f3318 +digest: 1f463bdd7f64c70aa68071db30a6cb1b4843b62c46acf55df6ef47c5edbc9257 diff --git a/pod-security/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security/baseline/disallow-host-path/disallow-host-path.yaml index 5e4591c8a..90181aab3 100644 --- a/pod-security/baseline/disallow-host-path/disallow-host-path.yaml +++ b/pod-security/baseline/disallow-host-path/disallow-host-path.yaml @@ -14,7 +14,7 @@ metadata: Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: host-path diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 68c1e2e62..f4e6012b3 100755 --- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-ports-range status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml index 0e012043f..bcba94f64 100755 --- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-host-ports-range.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-ports-range - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-ports-range.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml index ab8ca032b..7103ed4af 100644 --- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml @@ -5,15 +5,15 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 1234 hostPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8099 - hostPort: 8090 @@ -26,16 +26,16 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 hostPort: 8090 @@ -48,7 +48,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 hostPort: 8090 @@ -60,7 +60,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -73,7 +73,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -90,9 +90,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -109,13 +109,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -129,13 +129,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-secure containerPort: 4443 hostPort: 443 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -149,10 +149,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -165,14 +165,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -185,16 +185,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -207,20 +207,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -233,12 +233,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 hostPort: 53 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml index 00ce9cfd7..7b1dc0f58 100644 --- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 --- @@ -23,17 +23,17 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 5431 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 - containerPort: 8088 @@ -46,7 +46,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -55,7 +55,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 5000 @@ -67,7 +67,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -76,7 +76,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -90,7 +90,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -106,9 +106,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -117,9 +117,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -133,12 +133,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -152,10 +152,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -164,14 +164,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -180,14 +180,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -199,16 +199,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -220,7 +220,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml index 762a7bffc..a8fbc8500 100644 --- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml @@ -14,15 +14,15 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 hostPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 --- @@ -39,14 +39,14 @@ spec: restartPolicy: Never initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 8080 @@ -67,7 +67,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -89,7 +89,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -115,9 +115,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -143,13 +143,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -172,13 +172,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-secure containerPort: 4443 hostPort: 443 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -201,10 +201,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -226,14 +226,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -255,16 +255,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -286,20 +286,20 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -321,14 +321,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -343,7 +343,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -362,7 +362,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -385,9 +385,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -410,13 +410,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -436,13 +436,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-secure containerPort: 4443 hostPort: 443 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -462,10 +462,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -484,14 +484,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -510,16 +510,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -538,20 +538,20 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -570,12 +570,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 hostPort: 53 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml index 78e52435e..eeceb5d4c 100644 --- a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml @@ -14,14 +14,14 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 5432 @@ -39,15 +39,15 @@ spec: restartPolicy: Never initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 9808 hostPort: 6000 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 --- @@ -67,7 +67,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -85,7 +85,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -108,7 +108,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -133,9 +133,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -153,9 +153,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -178,13 +178,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -206,10 +206,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -227,14 +227,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -252,14 +252,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -280,16 +280,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -310,7 +310,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -330,7 +330,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -345,7 +345,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -365,7 +365,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -387,9 +387,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -404,9 +404,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -426,13 +426,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -451,10 +451,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -469,14 +469,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -491,14 +491,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -516,16 +516,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 hostPort: 5555 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 diff --git a/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml index 3835a04dd..27b112f41 100644 --- a/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-host-ports-range/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 288fc86ed4f1a254c7ad3cc01dd9ab2302fd34015acf543a052cbbc306370aea +digest: e590b0680f5a8484fb8c775f51c817d77103716e6740476eb620d34431c3bea4 diff --git a/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml b/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml index ce117117d..b8711bcce 100644 --- a/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml +++ b/pod-security/baseline/disallow-host-ports-range/disallow-host-ports-range.yaml @@ -17,7 +17,7 @@ metadata: or to a value of zero. This policy is mutually exclusive of the disallow-host-ports policy. Note that Kubernetes Pod Security Admission does not support the host port range rule. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: host-port-range diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 46cf00260..7630931c6 100755 --- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-ports status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml index 85717722a..d7e2f2ebf 100755 --- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-host-ports.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-ports - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-ports.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml index d954d8705..482abd63e 100644 --- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - hostPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8099 - hostPort: 8090 @@ -25,16 +25,16 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 hostPort: 8090 @@ -48,7 +48,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 hostPort: 8090 @@ -60,7 +60,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -73,7 +73,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -90,9 +90,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -109,13 +109,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -129,13 +129,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-secure containerPort: 4443 hostPort: 443 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -149,10 +149,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -165,14 +165,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -185,16 +185,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -207,20 +207,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -233,12 +233,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 hostPort: 53 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml index bd28f17d9..49c331fd9 100644 --- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml @@ -5,14 +5,14 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 --- @@ -23,17 +23,17 @@ metadata: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 - name: init-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 0 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 - containerPort: 8088 @@ -46,7 +46,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -55,7 +55,7 @@ metadata: spec: containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 0 @@ -67,7 +67,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -76,7 +76,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -89,7 +89,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -104,9 +104,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -115,9 +115,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -130,12 +130,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -148,10 +148,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -160,13 +160,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -175,13 +175,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -193,15 +193,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml index eca7e8b75..087ef9bc5 100644 --- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml @@ -14,15 +14,15 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 hostPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 --- @@ -39,14 +39,14 @@ spec: restartPolicy: Never initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 8080 @@ -67,7 +67,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -89,7 +89,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -115,9 +115,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -143,13 +143,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -172,13 +172,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-secure containerPort: 4443 hostPort: 443 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -201,10 +201,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -226,14 +226,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -255,16 +255,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -286,20 +286,20 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -321,14 +321,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -343,7 +343,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -362,7 +362,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -385,9 +385,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -410,13 +410,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -436,13 +436,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-secure containerPort: 4443 hostPort: 443 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -462,10 +462,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -484,14 +484,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -510,16 +510,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -538,20 +538,20 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web containerPort: 4443 hostPort: 443 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 protocol: TCP containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 @@ -570,12 +570,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: dns containerPort: 5553 hostPort: 53 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml index 97c5643aa..b8cd1dda4 100644 --- a/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml @@ -14,14 +14,14 @@ spec: spec: initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8090 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8088 hostPort: 0 @@ -39,15 +39,15 @@ spec: restartPolicy: Never initContainers: - name: init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 9808 hostPort: 0 containers: - name: busybox - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox-again - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - containerPort: 8080 --- @@ -67,7 +67,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -85,7 +85,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -107,7 +107,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -131,9 +131,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -151,9 +151,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -175,12 +175,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -202,10 +202,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -223,13 +223,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -247,13 +247,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -274,15 +274,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -300,7 +300,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -315,7 +315,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -334,7 +334,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -355,9 +355,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -372,9 +372,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -393,12 +393,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: admin containerPort: 8000 @@ -417,10 +417,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -435,13 +435,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -456,13 +456,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -480,15 +480,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 diff --git a/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml index 7e7b74969..b7e2500be 100644 --- a/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-host-ports/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: dafa02270c9b3d557fe234ccdd2cbb9368615fc7d086bc0bfb4ce70f55239aa4 +digest: f1f94bb74ca482b363777c421c196f325ef4db85b608d3df7f37ec6a29acb8f2 diff --git a/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml index c7c4ce292..7bc0e8aea 100644 --- a/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml +++ b/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml @@ -14,7 +14,7 @@ metadata: allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: host-ports-none diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 24ff7dd20..ddce453da 100755 --- a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-process status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml index 9f15dd522..d0217a838 100755 --- a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-host-process.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-host-process - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-process.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml index e5ebd1526..d6e00d2ed 100644 --- a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml @@ -5,18 +5,18 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -25,7 +25,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -37,12 +37,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -52,7 +52,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -65,12 +65,12 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -83,13 +83,13 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -102,18 +102,18 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -126,18 +126,18 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml index 9a14517e9..8f225cfd5 100644 --- a/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml @@ -5,18 +5,18 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -25,7 +25,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -37,12 +37,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -51,7 +51,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -61,7 +61,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -71,7 +71,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -84,9 +84,9 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -99,10 +99,10 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -112,13 +112,13 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -128,15 +128,15 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml index 2b9838389..fd8c0d6f6 100644 --- a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml @@ -14,18 +14,18 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -40,15 +40,15 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -70,7 +70,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -92,12 +92,12 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -119,13 +119,13 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -147,18 +147,18 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -180,18 +180,18 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -210,7 +210,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -229,12 +229,12 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -253,13 +253,13 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -278,18 +278,18 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -308,18 +308,18 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml index 24add416f..be6c2f1d3 100644 --- a/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml @@ -14,18 +14,18 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -40,15 +40,15 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -70,7 +70,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -89,7 +89,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -111,9 +111,9 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -135,10 +135,10 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -157,13 +157,13 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -182,15 +182,15 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -209,7 +209,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -225,7 +225,7 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -244,9 +244,9 @@ spec: hostNetwork: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false @@ -265,10 +265,10 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -284,13 +284,13 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -306,15 +306,15 @@ spec: hostNetwork: true initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: false diff --git a/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml b/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml index dae9448df..1012702bd 100644 --- a/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-host-process/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: d2a564ae812b3416bdcac56fccbc9ccb9159eb575067593073ad9843b5cc9c55 +digest: a3a0e51e3919e03dcbeb5235aa59b5b9649519765de17a3087a29e302626fac9 diff --git a/pod-security/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security/baseline/disallow-host-process/disallow-host-process.yaml index c43b8fdc2..2c79a6282 100644 --- a/pod-security/baseline/disallow-host-process/disallow-host-process.yaml +++ b/pod-security/baseline/disallow-host-process/disallow-host-process.yaml @@ -15,7 +15,7 @@ metadata: policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures the `hostProcess` field, if present, is set to `false`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: host-process-containers diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml index deead22e1..cc13a32d2 100755 --- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-privileged-containers status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml index 3be810a55..fc401ccbc 100755 --- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-privileged-containers.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-privileged-containers - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-privileged-containers.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml index 91bb7660f..f1d439769 100644 --- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml @@ -5,16 +5,16 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -23,7 +23,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -34,11 +34,11 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -49,11 +49,11 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -64,7 +64,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -75,9 +75,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -88,12 +88,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -102,14 +102,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -118,14 +118,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml index 85d1e5a64..5000dcc54 100644 --- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml @@ -5,16 +5,16 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -23,7 +23,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -34,11 +34,11 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -49,7 +49,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -58,7 +58,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -67,7 +67,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -78,9 +78,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -91,10 +91,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -103,12 +103,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -117,14 +117,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml index c53985938..e7d597df7 100644 --- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml @@ -14,16 +14,16 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -38,14 +38,14 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -65,7 +65,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -85,9 +85,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -107,12 +107,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -130,14 +130,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -155,14 +155,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -179,7 +179,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -196,9 +196,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- @@ -215,12 +215,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -235,14 +235,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -257,14 +257,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml index eb3103ad1..b02400703 100644 --- a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml @@ -14,16 +14,16 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -38,14 +38,14 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -65,7 +65,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -83,7 +83,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -103,9 +103,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -125,10 +125,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -146,12 +146,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -169,14 +169,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -193,7 +193,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -208,7 +208,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -225,9 +225,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false --- @@ -244,10 +244,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -262,12 +262,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -282,13 +282,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false diff --git a/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml b/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml index e8b320d85..ba2ad2f4c 100644 --- a/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-privileged-containers/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 31d595cab8979474bfbb853fb0f1c67a98bbfff08dda6ec0ef71158cea09ba8d +digest: 9df73d54c268a8ce8099089040099ce8f5e8ff5ccb23559a7d04c0270b0451ce diff --git a/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml index 1f8534e76..a09b89179 100644 --- a/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml +++ b/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml @@ -13,7 +13,7 @@ metadata: Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: privileged-containers @@ -24,8 +24,8 @@ spec: - Pod validate: message: >- - Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged, - spec.initContainers[*].securityContext.privileged, and spec.ephemeralContainers[*].securityContext.privileged must be unset or set to `false`. + Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged + and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. pattern: spec: =(ephemeralContainers): diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 04baf8fe0..000000000 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-proc-mount -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../disallow-proc-mount.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-proc-mount - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index 623c582d3..000000000 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 747d648e2..000000000 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,78 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index b719c34b3..000000000 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,220 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Unmasked ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Unmasked - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Unmasked ---- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 83e0d5aac..000000000 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,245 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - procMount: Default ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - procMount: Default - containers: - - name: container01 - image: dummyimagename - securityContext: - procMount: Default ---- \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 9fafc59be..000000000 --- a/pod-security/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-proc-mount -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml b/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml index 7263f7285..3c1f68f2f 100644 --- a/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-proc-mount/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 554523e9edb577257fb875d958ebbf3c4d6ede3e85306350173d593d1300bcb4 +digest: ce3647a9f835eb5da49ae65ccc4976010b8f7fd3cba7b0ac66b05a6cf8fac3fb diff --git a/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml index 443513ce7..aeb74f072 100644 --- a/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml +++ b/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml @@ -15,7 +15,7 @@ metadata: to deviate from the `Default` procMount requires setting a feature gate at the API server. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-proc-mount diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml index a4b562256..1971822e2 100755 --- a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-selinux status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml index d60b5b98e..774b95c26 100755 --- a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-selinux.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-selinux - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-selinux.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-selinux diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml index fd37b5981..9126416e3 100644 --- a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml @@ -5,18 +5,18 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -32,12 +32,12 @@ spec: role: "foo" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -52,7 +52,7 @@ spec: type: container_engine_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -61,12 +61,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -78,14 +78,14 @@ metadata: spec: initContainers: - name: busybox-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: "1000" role: "foo" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -97,12 +97,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: "1000" @@ -116,7 +116,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -128,7 +128,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -140,9 +140,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -154,12 +154,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -171,13 +171,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -186,15 +186,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -203,18 +203,18 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -223,7 +223,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -235,7 +235,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -247,7 +247,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -260,7 +260,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -272,7 +272,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -284,7 +284,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -297,9 +297,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -311,9 +311,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -325,9 +325,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -340,12 +340,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: unconfined_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -357,13 +357,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -372,13 +372,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -387,14 +387,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -403,15 +403,15 @@ metadata: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -420,15 +420,15 @@ metadata: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -437,16 +437,16 @@ metadata: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -455,16 +455,16 @@ metadata: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml index 286d078b7..f372cfc59 100644 --- a/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml @@ -5,18 +5,18 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -28,12 +28,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -48,7 +48,7 @@ spec: type: container_init_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -57,7 +57,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -66,7 +66,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -75,7 +75,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -87,7 +87,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -99,7 +99,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -111,7 +111,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -123,7 +123,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -135,7 +135,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -147,9 +147,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -161,12 +161,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -178,13 +178,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -193,13 +193,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -208,13 +208,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -223,15 +223,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -240,18 +240,18 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -260,7 +260,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -269,7 +269,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -281,7 +281,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -293,7 +293,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -306,9 +306,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -320,12 +320,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -337,10 +337,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -349,13 +349,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -364,14 +364,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -380,15 +380,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -397,16 +397,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml index 37ef091a3..897ffc294 100644 --- a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml @@ -14,18 +14,18 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -46,20 +46,20 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: "1000" role: "foo" type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -77,18 +77,18 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -106,18 +106,18 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: "1000" @@ -140,7 +140,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -161,7 +161,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -182,9 +182,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -205,12 +205,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -231,13 +231,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -255,15 +255,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -281,18 +281,18 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -307,7 +307,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -325,7 +325,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -343,9 +343,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -363,12 +363,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t @@ -386,13 +386,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -407,15 +407,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -430,18 +430,18 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: spc_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -459,7 +459,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -480,7 +480,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -501,7 +501,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -523,7 +523,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -544,7 +544,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -565,7 +565,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -587,9 +587,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -610,9 +610,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -633,9 +633,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -657,12 +657,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: unconfined_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -683,13 +683,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -707,13 +707,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -731,14 +731,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -756,15 +756,15 @@ spec: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -782,15 +782,15 @@ spec: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -808,16 +808,16 @@ spec: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -835,18 +835,18 @@ spec: spec: initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -861,7 +861,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -879,7 +879,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -897,7 +897,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -916,7 +916,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -934,7 +934,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -952,7 +952,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -971,9 +971,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -991,9 +991,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r @@ -1011,9 +1011,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -1032,12 +1032,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: unconfined_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -1055,13 +1055,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1076,13 +1076,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1097,14 +1097,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1119,15 +1119,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1142,15 +1142,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1165,16 +1165,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u role: sysadm_r containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1189,16 +1189,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml index b3b964adb..630331acb 100644 --- a/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml @@ -14,18 +14,18 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -43,18 +43,18 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -75,7 +75,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -93,7 +93,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -114,7 +114,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -135,7 +135,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -156,7 +156,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -177,7 +177,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -198,7 +198,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -219,9 +219,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -242,12 +242,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -268,13 +268,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -292,13 +292,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -316,13 +316,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -340,15 +340,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -366,18 +366,18 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -395,7 +395,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -413,7 +413,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -434,7 +434,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -455,7 +455,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -477,9 +477,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -500,12 +500,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -526,10 +526,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -547,13 +547,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -571,14 +571,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -596,15 +596,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -622,18 +622,18 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -648,7 +648,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -663,7 +663,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -681,7 +681,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -699,7 +699,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -718,9 +718,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -738,12 +738,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -761,10 +761,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -779,13 +779,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -800,14 +800,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -822,15 +822,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -845,18 +845,18 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -871,7 +871,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -886,7 +886,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -904,7 +904,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -922,7 +922,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -940,7 +940,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t @@ -958,7 +958,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t @@ -976,7 +976,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -994,9 +994,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -1014,12 +1014,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t @@ -1037,13 +1037,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1058,13 +1058,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1079,13 +1079,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_kvm_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1100,15 +1100,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -1123,16 +1123,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_init_t - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_t containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml b/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml index dc12fd55b..bfccd620f 100644 --- a/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml +++ b/pod-security/baseline/disallow-selinux/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 1e6920c08280c459e1c16fa0eb1d75304ffbda279b16798a8e68973d47e2cd5e +digest: 4d028ef08da7f6dffc6ecfe22eff55e643d57ddc14498142958fb572bf31dfe0 diff --git a/pod-security/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security/baseline/disallow-selinux/disallow-selinux.yaml index b43a6f8ef..fa3f19d8d 100644 --- a/pod-security/baseline/disallow-selinux/disallow-selinux.yaml +++ b/pod-security/baseline/disallow-selinux/disallow-selinux.yaml @@ -13,7 +13,7 @@ metadata: SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: selinux-type diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml index f4778fa79..7c5650ac0 100755 --- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-apparmor-profiles status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml index 6903f7aea..3260f1663 100755 --- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-apparmor-profiles.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-apparmor-profiles - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-apparmor-profiles.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-apparmor-profiles diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml index 407d69967..d11890f9d 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml @@ -8,7 +8,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -20,7 +20,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -31,4 +31,4 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml index ce0e9f149..d8f331b95 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml @@ -8,7 +8,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -20,7 +20,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -29,7 +29,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -38,7 +38,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -49,7 +49,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -60,4 +60,4 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml index 58d1c54e4..33a282868 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,7 +36,7 @@ spec: restartPolicy: Never containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -56,7 +56,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -74,5 +74,5 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml index efaa3240c..aaaa17340 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml @@ -17,7 +17,7 @@ spec: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -36,7 +36,7 @@ spec: restartPolicy: Never containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -54,7 +54,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -74,7 +74,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -94,7 +94,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -109,7 +109,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -127,7 +127,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -145,4 +145,4 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml b/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml index 0a4d55281..2a1d7f38b 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml +++ b/pod-security/baseline/restrict-apparmor-profiles/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod, Annotation" -digest: 365cb097730bd86fe20b203539015172b6f348bc6e012beb3cbce3f013fe665d +digest: b826e93fa173d610354a528e16823d018ccf90e890f63339029724b3ac75a185 diff --git a/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml b/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml index ef093df69..84194c67b 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml @@ -16,7 +16,7 @@ metadata: overrides to an allowed set of profiles. This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default` or `localhost/*`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: app-armor diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 03da26034..92459aedf 100755 --- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-seccomp status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml index c6d24b1fb..53b1a231a 100755 --- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-seccomp.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-seccomp - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-seccomp.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml index 14d48792f..ed1acc81d 100644 --- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml @@ -5,19 +5,19 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -29,12 +29,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -49,7 +49,7 @@ spec: type: Unconfined containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -58,7 +58,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -70,7 +70,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -82,9 +82,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -96,12 +96,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -113,13 +113,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -128,15 +128,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -145,16 +145,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml index e97ff3768..c7c153eb2 100644 --- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml @@ -5,19 +5,19 @@ metadata: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -29,12 +29,12 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -51,7 +51,7 @@ spec: localhostProfile: profiles/audit.json containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -60,7 +60,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -69,7 +69,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -78,7 +78,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -90,7 +90,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -103,7 +103,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -115,7 +115,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -128,9 +128,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -142,12 +142,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -160,13 +160,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -175,14 +175,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -191,15 +191,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -208,17 +208,17 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml index 92d9b91db..433a45dac 100644 --- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml @@ -14,19 +14,19 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -44,19 +44,19 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -77,7 +77,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -98,7 +98,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -119,9 +119,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -142,12 +142,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -168,13 +168,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -192,15 +192,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -218,18 +218,18 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -244,7 +244,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -262,7 +262,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -280,9 +280,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -300,12 +300,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -323,13 +323,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -344,15 +344,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -367,16 +367,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml index 72cafb0a1..49df1fbcf 100644 --- a/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml @@ -14,19 +14,19 @@ spec: spec: initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -44,19 +44,19 @@ spec: restartPolicy: Never initContainers: - name: busybox01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json - name: busybox02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -77,7 +77,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -95,7 +95,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -116,7 +116,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -138,7 +138,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -159,7 +159,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -181,9 +181,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -204,13 +204,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -231,13 +231,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -255,14 +255,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -280,15 +280,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -306,19 +306,19 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -333,7 +333,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -348,7 +348,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -366,7 +366,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -385,7 +385,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -403,7 +403,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -422,9 +422,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -442,13 +442,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -466,13 +466,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -487,14 +487,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -509,15 +509,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -532,17 +532,17 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- diff --git a/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml b/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml index a8fcf383b..13712bd99 100644 --- a/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml +++ b/pod-security/baseline/restrict-seccomp/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: c2469f9eada153312c69490065cc32046f7615b0d88c9177d65ebec45b3ea01f +digest: 300e7c36b0fd01c8f70e9ad772b85ef2b4ed6593e6ff1224859bb06b675bfdc2 diff --git a/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml index b1161e77d..2fd176dc4 100644 --- a/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml +++ b/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml @@ -15,7 +15,7 @@ metadata: set to `RuntimeDefault` or `Localhost`. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-seccomp match: diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml index cc9ad507f..a7afea7ef 100755 --- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-sysctls status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml index 7cbcd1a60..e872e47e0 100755 --- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-sysctls.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-sysctls - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-sysctls.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml index e850d943b..4e3793ff4 100644 --- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml @@ -13,7 +13,7 @@ spec: value: "60000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -26,7 +26,7 @@ spec: value: "1000-2000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -41,7 +41,7 @@ spec: value: "0" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -56,7 +56,7 @@ spec: value: "5000-6000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -65,7 +65,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_next_id @@ -78,7 +78,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_rmid_forced diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml index 389f1f79a..1811c89d4 100644 --- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml @@ -13,7 +13,7 @@ spec: value: "60000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -22,7 +22,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -35,7 +35,7 @@ spec: value: "1000-2000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -44,7 +44,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -53,7 +53,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_rmid_forced @@ -66,7 +66,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_local_port_range @@ -79,7 +79,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start @@ -92,7 +92,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.tcp_syncookies @@ -105,7 +105,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ping_group_range @@ -118,7 +118,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml index 587c2affb..3d1973b78 100644 --- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml @@ -22,7 +22,7 @@ spec: value: "60000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -45,7 +45,7 @@ spec: value: "5000-6000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -63,7 +63,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_next_id @@ -85,7 +85,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_rmid_forced @@ -106,7 +106,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_next_id @@ -125,7 +125,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_rmid_forced diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml index 5280d7259..8446a6028 100644 --- a/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml @@ -22,7 +22,7 @@ spec: value: "60000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -45,7 +45,7 @@ spec: value: "60000" containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -63,7 +63,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -81,7 +81,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_rmid_forced @@ -103,7 +103,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_local_port_range @@ -125,7 +125,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start @@ -147,7 +147,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.tcp_syncookies @@ -169,7 +169,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ping_group_range @@ -191,7 +191,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start @@ -212,7 +212,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -227,7 +227,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: kernel.shm_rmid_forced @@ -246,7 +246,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_local_port_range @@ -265,7 +265,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start @@ -284,7 +284,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.tcp_syncookies @@ -303,7 +303,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ping_group_range @@ -322,7 +322,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: sysctls: - name: net.ipv4.ip_unprivileged_port_start diff --git a/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml b/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml index 1e62c8a19..1835085a6 100644 --- a/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml +++ b/pod-security/baseline/restrict-sysctls/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Baseline)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: ad4c1dcbc7f5e811797fa2df1de2d52c2180526f9b89e5cd3ee7ff637d9ab1c7 +digest: 29b9c1bda8c60f61aff4fa1df4a19d9f18eec7376ca9aea202bacc4ab6ab8a11 diff --git a/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml index 2f2832bff..6b309beb9 100644 --- a/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml +++ b/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml @@ -17,7 +17,7 @@ metadata: This policy ensures that only those "safe" subsets can be specified in a Pod. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-sysctls diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 02a811690..a7bd6b8fa 100755 --- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-capabilities-strict status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml index e80781440..2bdf86803 100755 --- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-capabilities-strict.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-capabilities-strict - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml index a52dfab66..64949f3ca 100644 --- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -27,9 +27,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -38,9 +38,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -53,13 +53,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -72,10 +72,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -88,14 +88,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -108,12 +108,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -126,16 +126,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -148,20 +148,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -174,7 +174,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -189,7 +189,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -205,13 +205,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -226,7 +226,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -234,7 +234,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -249,7 +249,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -257,7 +257,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -273,7 +273,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -282,7 +282,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -295,7 +295,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -305,7 +305,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -318,13 +318,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -333,7 +333,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -346,7 +346,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -354,7 +354,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -363,7 +363,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -376,7 +376,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -384,7 +384,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -394,7 +394,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml index 70eb6daf5..4475cfe63 100644 --- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -18,7 +18,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -32,13 +32,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -51,14 +51,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -71,7 +71,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -79,7 +79,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -92,20 +92,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -118,7 +118,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -133,13 +133,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -154,7 +154,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -162,7 +162,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -177,14 +177,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -197,7 +197,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -206,7 +206,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -219,20 +219,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -245,13 +245,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -260,7 +260,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -273,7 +273,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -281,7 +281,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -290,7 +290,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml index f3d52b08b..afca656f9 100644 --- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -32,7 +32,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -54,9 +54,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -74,9 +74,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -98,13 +98,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -126,10 +126,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -151,14 +151,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -180,12 +180,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -207,16 +207,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -238,20 +238,20 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -270,7 +270,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -285,7 +285,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -304,9 +304,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -321,9 +321,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -342,13 +342,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -367,10 +367,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -389,14 +389,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -415,12 +415,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -439,16 +439,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -467,20 +467,20 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - NET_RAW - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -502,7 +502,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -526,7 +526,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -551,13 +551,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -581,7 +581,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -589,7 +589,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -613,7 +613,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -621,7 +621,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -646,7 +646,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -655,7 +655,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -677,7 +677,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -687,7 +687,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -709,13 +709,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -724,7 +724,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -746,7 +746,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -754,7 +754,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -763,7 +763,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -785,7 +785,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -793,7 +793,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -803,7 +803,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -822,7 +822,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -843,7 +843,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -865,13 +865,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -892,7 +892,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -900,7 +900,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -921,7 +921,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -929,7 +929,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -951,7 +951,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -960,7 +960,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -979,7 +979,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -989,7 +989,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1008,13 +1008,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1023,7 +1023,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1042,7 +1042,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1050,7 +1050,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1059,7 +1059,7 @@ spec: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1078,7 +1078,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1086,7 +1086,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -1096,7 +1096,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml index 1968566d9..89131915e 100644 --- a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -36,7 +36,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -59,13 +59,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -87,14 +87,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -116,7 +116,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -124,7 +124,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -146,20 +146,20 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -178,7 +178,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -197,7 +197,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -217,13 +217,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -242,14 +242,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -268,7 +268,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -276,7 +276,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -295,20 +295,20 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -330,7 +330,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -354,13 +354,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -384,7 +384,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -392,7 +392,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -416,14 +416,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -445,7 +445,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -454,7 +454,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -476,20 +476,20 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -511,13 +511,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -526,7 +526,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -548,7 +548,7 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -556,7 +556,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -565,7 +565,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -584,7 +584,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -603,7 +603,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -624,13 +624,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -651,7 +651,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -659,7 +659,7 @@ spec: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -680,7 +680,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -689,7 +689,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -708,20 +708,20 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -740,13 +740,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: - ALL - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -755,7 +755,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -774,7 +774,7 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -782,7 +782,7 @@ spec: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: @@ -791,7 +791,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: drop: diff --git a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml index 38230c9b1..02febf504 100644 --- a/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml +++ b/pod-security/restricted/disallow-capabilities-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 6000c5c6e0a0b0f87d67dd9a382a871f301dc2daa02d649abfe9fa14d0bff253 +digest: c9ad4e28dafebe6064adfd1a8256a88ca610b8d0d8aea1b23aa772f06b5d793a diff --git a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index 1c4681879..dbc478783 100644 --- a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -14,7 +14,7 @@ metadata: Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: require-drop-all diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml index b8dc40c39..30a5747c2 100755 --- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-privilege-escalation status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml index c48e48feb..f50453dba 100755 --- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../disallow-privilege-escalation.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-privilege-escalation - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml index e3c44d598..28ce245f0 100644 --- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true --- @@ -25,9 +25,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -38,11 +38,11 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -53,10 +53,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -67,14 +67,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml index e184edd4f..7f7a8fe64 100644 --- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -16,11 +16,11 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -31,12 +31,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -47,16 +47,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -67,20 +67,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml index d6bd83a50..34577c35b 100644 --- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -32,7 +32,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true --- @@ -52,9 +52,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -74,11 +74,11 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -98,10 +98,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -121,14 +121,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -145,7 +145,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -160,7 +160,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true --- @@ -177,9 +177,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -196,11 +196,11 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -217,10 +217,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -237,14 +237,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml index 1e3709b54..b1a20f561 100644 --- a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -34,11 +34,11 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -58,12 +58,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -83,16 +83,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -112,20 +112,20 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -142,7 +142,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -159,11 +159,11 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -180,12 +180,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -202,16 +202,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false --- @@ -228,19 +228,19 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false diff --git a/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml index 9b91be6b0..134cae44e 100644 --- a/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml +++ b/pod-security/restricted/disallow-privilege-escalation/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 896f413ddf85259b6b61515bc6327ea9f6d9b4b76db43dec745cbd16dfcc9974 +digest: e8ce822cc387d097b86c462e1ed2ccc0136395e0c42e0731b722ed31cef9042d diff --git a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index cfa501bb9..b06d960a5 100644 --- a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -13,7 +13,7 @@ metadata: Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: privilege-escalation diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 6a5138508..3a15a8755 100755 --- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-run-as-non-root-user status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml index d87423a5e..4ca60b0bb 100755 --- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-run-as-non-root-user.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-run-as-non-root-user - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml index 4cdcafbbd..91b114870 100644 --- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -16,7 +16,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -27,9 +27,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -40,10 +40,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -54,12 +54,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -68,12 +68,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml index 66421b648..3a3336909 100644 --- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -25,7 +25,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -36,9 +36,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -49,11 +49,11 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2 --- @@ -64,11 +64,11 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2 securityContext: @@ -81,10 +81,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -93,12 +93,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -107,10 +107,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -121,12 +121,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml index 75459b442..441a23f49 100644 --- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -34,7 +34,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -54,9 +54,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -76,10 +76,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -99,12 +99,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -122,14 +122,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -144,7 +144,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -161,7 +161,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -178,9 +178,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -197,10 +197,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 --- @@ -217,12 +217,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -237,12 +237,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 0 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml index 083e569d7..d8115b64b 100644 --- a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -32,7 +32,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -52,7 +52,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -72,9 +72,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -94,11 +94,11 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2 --- @@ -118,11 +118,11 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2 securityContext: @@ -144,10 +144,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -165,12 +165,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -188,10 +188,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -211,14 +211,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -233,7 +233,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -248,7 +248,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -265,7 +265,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -282,9 +282,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -301,11 +301,11 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2 --- @@ -322,11 +322,11 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 2 securityContext: @@ -345,10 +345,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -363,12 +363,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -383,10 +383,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 --- @@ -403,11 +403,11 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml index e12508c16..e3fb66644 100644 --- a/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml +++ b/pod-security/restricted/require-run-as-non-root-user/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 51d4e6bf94bdf4139e904740b241f59d0c6ad82db5d41e34c8384183f60d97ad +digest: ba2f062dce7055a18dba8f45007cb89575be9e027bbd7c3d4a43115333dfea5d diff --git a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index ea9db6f16..5be4515ce 100644 --- a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -13,7 +13,7 @@ metadata: Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml index ce7c2fd4e..d97abc312 100755 --- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-run-as-nonroot status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml index 58c752a30..ca1d27b73 100755 --- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../require-run-as-nonroot.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-run-as-nonroot - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-run-as-nonroot.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml index dc7e2e6d4..8adfe2713 100644 --- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -25,7 +25,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -36,7 +36,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -49,9 +49,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -60,9 +60,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -73,9 +73,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -86,9 +86,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -101,11 +101,11 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -118,12 +118,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -134,10 +134,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -150,12 +150,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -168,12 +168,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -184,14 +184,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -202,23 +202,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod16 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - allowPrivilegeEscalation: false --- \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml index 20d08d820..6a08ba318 100644 --- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -16,7 +16,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -27,7 +27,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -40,9 +40,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -53,9 +53,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -68,10 +68,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -82,12 +82,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -98,12 +98,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -114,14 +114,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -132,16 +132,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml index 64dcc37c2..50368df71 100644 --- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -32,7 +32,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -52,7 +52,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -72,7 +72,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -94,9 +94,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -114,9 +114,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -136,9 +136,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -158,9 +158,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -182,11 +182,11 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -208,12 +208,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -233,10 +233,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -258,12 +258,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -285,12 +285,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -310,14 +310,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -337,12 +337,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -359,7 +359,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -374,7 +374,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -391,7 +391,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -408,7 +408,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -427,9 +427,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -444,9 +444,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -463,9 +463,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- @@ -482,9 +482,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -503,11 +503,11 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false securityContext: @@ -526,12 +526,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -548,10 +548,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -570,12 +570,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -594,12 +594,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -616,14 +616,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -640,12 +640,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: false --- \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml index 2320e7563..3216a4fed 100644 --- a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -34,7 +34,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -54,7 +54,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -76,9 +76,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -98,9 +98,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -122,10 +122,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -145,12 +145,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -170,12 +170,12 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -195,14 +195,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -222,16 +222,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -248,7 +248,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -265,7 +265,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -282,7 +282,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -301,9 +301,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -320,9 +320,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true securityContext: @@ -341,10 +341,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -361,12 +361,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -383,12 +383,12 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -405,14 +405,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true --- @@ -429,15 +429,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: runAsNonRoot: true diff --git a/pod-security/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml b/pod-security/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml index d131de29b..9ca3cf80f 100644 --- a/pod-security/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.kyverno-test/kyverno-test.yaml @@ -65,7 +65,6 @@ results: - badpod13 - badpod14 - badpod15 - - badpod16 result: fail rule: run-as-non-root - kind: CronJob diff --git a/pod-security/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml b/pod-security/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml index 7589a7914..deac1e118 100644 --- a/pod-security/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.kyverno-test/resource.yaml @@ -213,17 +213,6 @@ spec: securityContext: runAsNonRoot: false --- -apiVersion: v1 -kind: Pod -metadata: - name: badpod16 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - allowPrivilegeEscalation: false ---- ###### Pods - Good apiVersion: v1 kind: Pod diff --git a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml index 3adda05ec..c90f47f8d 100644 --- a/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml +++ b/pod-security/restricted/require-run-as-nonroot/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: 41b892b201760036c88b6f6763db2e330aa1f5d03064e77ec38d6c6bbc5ff587 +digest: 6b662e81d2e326be2844f05a81ba92a938006514b0d7dd0c15aa2ab526c7077b diff --git a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml index c20f86e3d..cad5c18e8 100644 --- a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -14,7 +14,7 @@ metadata: `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: run-as-non-root diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml index cdb6f45bc..db4a4dc3a 100755 --- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-seccomp-strict status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml index ee4f3cf26..1e3a4b7f5 100755 --- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-seccomp-strict.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-seccomp-strict - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml index f9a801b7c..8f541571f 100644 --- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -17,7 +17,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -29,9 +29,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -43,12 +43,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -60,13 +60,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -75,15 +75,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -92,16 +92,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml index d35109aeb..0a9275016 100644 --- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -17,7 +17,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: localhostProfile: operator/default/profile1.json @@ -30,7 +30,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -42,7 +42,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -55,9 +55,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -73,12 +73,12 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -91,13 +91,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -109,14 +109,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -128,15 +128,15 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -148,19 +148,19 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml index e11928730..b7f7162c8 100644 --- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -35,7 +35,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -56,9 +56,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -79,12 +79,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -105,13 +105,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -129,15 +129,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -155,18 +155,18 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -181,7 +181,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -199,7 +199,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -217,9 +217,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -237,12 +237,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined @@ -260,13 +260,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -281,15 +281,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -304,16 +304,16 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml index cfac47fb3..555c0abca 100644 --- a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -35,7 +35,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -57,7 +57,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -78,7 +78,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -100,9 +100,9 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -127,12 +127,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -154,13 +154,13 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -181,14 +181,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -209,15 +209,15 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -238,19 +238,19 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -268,7 +268,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -286,7 +286,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -305,7 +305,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -323,7 +323,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -342,9 +342,9 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -366,12 +366,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost @@ -390,13 +390,13 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -414,14 +414,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -439,15 +439,15 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault @@ -465,19 +465,19 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: Localhost localhostProfile: operator/default/profile1.json - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seccompProfile: type: RuntimeDefault diff --git a/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml b/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml index ccee16dbe..e3d7b7795 100644 --- a/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml +++ b/pod-security/restricted/restrict-seccomp-strict/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod" -digest: ccde04c25c74488da3ef02e15a4185c8b34218e817b8976d0536cdfb05b912f4 +digest: 303a7f45eadad3b128126f5ae05dd2e9c3a24279034d6b89051127e4f7c39322 diff --git a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index 10b593082..4c9a83d20 100644 --- a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -17,7 +17,7 @@ metadata: using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: check-seccomp-strict match: diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 9ced74a13..417239b4b 100755 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-volume-types status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml index 005d759b7..7c80e2f12 100755 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -9,15 +8,10 @@ spec: - name: step-01 try: - apply: - file: ../restrict-volume-types.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-volume-types - spec: - validationFailureAction: Enforce + file: ns.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -38,9 +32,18 @@ spec: file: podcontroller-bad.yaml - name: step-99 try: - - script: - env: - - name: NAMESPACE - value: $namespace - content: kubectl delete all --all --force --grace-period=0 -n $NAMESPACE - + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - restrict-voltypes-ns + entrypoint: kubectl diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..9cde8be39 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: restrict-voltypes-ns \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml index a7a90ba35..c8b3f40fa 100644 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -22,7 +22,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -39,7 +39,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -55,7 +55,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -72,7 +72,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -90,7 +90,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -107,7 +107,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -125,7 +125,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -141,7 +141,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -157,7 +157,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -174,7 +174,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -190,7 +190,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -207,7 +207,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -224,7 +224,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -240,7 +240,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -257,7 +257,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -275,7 +275,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -291,7 +291,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -312,7 +312,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -328,7 +328,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml index 7446083e8..a12d37f25 100644 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml @@ -1,20 +1,22 @@ apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod01 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod02 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -25,11 +27,12 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod03 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: mysettings mountPath: /settings @@ -41,11 +44,12 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod04 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: warehouse mountPath: /warehouse @@ -59,13 +63,14 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod05 labels: foo: bar spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: labels mountPath: /labels @@ -80,11 +85,12 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod06 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: ephem mountPath: /ephem @@ -105,11 +111,12 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod07 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: foo mountPath: /foo @@ -122,11 +129,12 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod08 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/run/secrets/tokens name: vault-token @@ -142,11 +150,12 @@ spec: apiVersion: v1 kind: Pod metadata: + namespace: restrict-voltypes-ns name: goodpod09 spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /mysecret name: mysecret diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml index e4468a88b..bbbe09c60 100644 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml @@ -11,7 +11,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -34,7 +34,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -57,7 +57,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -79,7 +79,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -102,7 +102,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -126,7 +126,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -149,7 +149,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -173,7 +173,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -195,7 +195,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -217,7 +217,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -240,7 +240,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -262,7 +262,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -285,7 +285,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -308,7 +308,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -330,7 +330,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -353,7 +353,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -377,7 +377,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -399,7 +399,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -426,7 +426,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -448,7 +448,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml index a49214521..45378d1e6 100644 --- a/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml @@ -1,6 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: + namespace: restrict-voltypes-ns name: gooddeployment01 spec: replicas: 1 @@ -14,11 +15,12 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment metadata: + namespace: restrict-voltypes-ns name: gooddeployment02 spec: replicas: 1 @@ -32,7 +34,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -43,6 +45,7 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: + namespace: restrict-voltypes-ns name: gooddeployment05 spec: replicas: 1 @@ -57,7 +60,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: labels mountPath: /labels @@ -72,6 +75,7 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: + namespace: restrict-voltypes-ns name: gooddeployment06 spec: replicas: 1 @@ -85,7 +89,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: ephem mountPath: /ephem @@ -106,6 +110,7 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: + namespace: restrict-voltypes-ns name: gooddeployment07 spec: replicas: 1 @@ -119,7 +124,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: foo mountPath: /foo @@ -132,6 +137,7 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: + namespace: restrict-voltypes-ns name: gooddeployment08 spec: replicas: 1 @@ -145,7 +151,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/run/secrets/tokens name: vault-token @@ -161,6 +167,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob01 spec: schedule: "*/1 * * * *" @@ -171,11 +178,12 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob02 spec: schedule: "*/1 * * * *" @@ -186,7 +194,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: udev mountPath: /data @@ -197,6 +205,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob03 spec: schedule: "*/1 * * * *" @@ -207,7 +216,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: mysettings mountPath: /settings @@ -219,6 +228,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob04 spec: schedule: "*/1 * * * *" @@ -229,7 +239,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: warehouse mountPath: /warehouse @@ -243,6 +253,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob05 spec: schedule: "*/1 * * * *" @@ -256,7 +267,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: labels mountPath: /labels @@ -271,6 +282,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob06 spec: schedule: "*/1 * * * *" @@ -281,7 +293,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: ephem mountPath: /ephem @@ -302,6 +314,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob07 spec: schedule: "*/1 * * * *" @@ -312,7 +325,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - name: foo mountPath: /foo @@ -325,6 +338,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob08 spec: schedule: "*/1 * * * *" @@ -335,7 +349,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /var/run/secrets/tokens name: vault-token @@ -351,6 +365,7 @@ spec: apiVersion: batch/v1 kind: CronJob metadata: + namespace: restrict-voltypes-ns name: goodcronjob09 spec: schedule: "*/1 * * * *" @@ -361,7 +376,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: /mysecret name: mysecret diff --git a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml index 549fa020c..d7b90f513 100644 --- a/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml +++ b/pod-security/restricted/restrict-volume-types/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Standards (Restricted)" kyverno/kubernetesVersion: "1.22-1.23" kyverno/subject: "Pod,Volume" -digest: 66179d39a81d5c556ff011609a38509aa579a8cb7f63fbf241579f327052ee05 +digest: f050ec83c6176c4124cb678418bba7326d9885bd23ee9669e19761d8ec8a0cf2 diff --git a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml index 21f3b719a..fb8fd35d9 100644 --- a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -15,7 +15,7 @@ metadata: limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: restricted-volumes diff --git a/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml b/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml index 96c5863e6..f48794180 100644 --- a/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml +++ b/pod-security/subrule/podsecurity-subrule-baseline/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Pod Security, EKS Best Practices" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: d132cf882bdaeb17e768973fbe9b8958449a72e3da8af849c856ca1b8e4b750a +digest: cf5baa226ad6dddf0a93a2a2196c47671fa0abef9e109dbac6f03e03f992d38e diff --git a/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml b/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml index 5e2e52e17..f1d120976 100644 --- a/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml +++ b/pod-security/subrule/podsecurity-subrule-baseline/podsecurity-subrule-baseline.yaml @@ -18,7 +18,7 @@ metadata: version of the Pod Security Standards cluster wide. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: baseline match: diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml index a28d259c6..0eeef7b34 100755 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml index 28ce8ce01..3aa63a46f 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -22,7 +22,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -39,7 +39,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -56,7 +56,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -70,7 +70,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -92,7 +92,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -104,7 +104,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -115,7 +115,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -142,7 +142,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -164,7 +164,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull ports: - name: web-insecure containerPort: 8080 @@ -190,7 +190,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: windowsOptions: hostProcess: true @@ -214,7 +214,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: privileged: true allowPrivilegeEscalation: false @@ -236,7 +236,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: seLinuxOptions: type: container_engine_t @@ -261,7 +261,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -284,7 +284,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -301,7 +301,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -324,7 +324,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -350,7 +350,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: seLinuxOptions: user: sysadm_u diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml index f22282014..0446b5e49 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -27,7 +27,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -40,7 +40,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -51,7 +51,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -78,7 +78,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -100,7 +100,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -125,7 +125,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -152,7 +152,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -174,7 +174,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -200,7 +200,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -224,7 +224,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -250,7 +250,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -267,7 +267,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -290,7 +290,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -307,7 +307,7 @@ metadata: spec: initContainers: - name: container01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -328,7 +328,7 @@ spec: - SYS_ADMIN containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml index e09c584ba..82e49f127 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -40,7 +40,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -66,7 +66,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -92,7 +92,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -115,7 +115,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -146,7 +146,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -158,7 +158,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -169,7 +169,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -205,7 +205,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -236,7 +236,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull ports: - name: web-insecure containerPort: 8080 @@ -271,7 +271,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: windowsOptions: hostProcess: true @@ -304,7 +304,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: privileged: true allowPrivilegeEscalation: false @@ -335,7 +335,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: seLinuxOptions: type: container_engine_t @@ -369,7 +369,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -401,7 +401,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -427,7 +427,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -459,7 +459,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -494,7 +494,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: seLinuxOptions: user: sysadm_u @@ -523,7 +523,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -549,7 +549,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -575,7 +575,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -601,7 +601,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -624,7 +624,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -655,7 +655,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -667,7 +667,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -678,7 +678,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -714,7 +714,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -745,7 +745,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull ports: - name: web-insecure containerPort: 8080 @@ -780,7 +780,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: windowsOptions: hostProcess: true @@ -813,7 +813,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: privileged: true allowPrivilegeEscalation: false @@ -844,7 +844,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: seLinuxOptions: type: container_engine_t @@ -876,7 +876,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -908,7 +908,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -934,7 +934,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -966,7 +966,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -1001,7 +1001,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: seLinuxOptions: user: sysadm_u diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml index 139df42da..418c21476 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -45,7 +45,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -58,7 +58,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -69,7 +69,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -105,7 +105,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -136,7 +136,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -170,7 +170,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -206,7 +206,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -237,7 +237,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -272,7 +272,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -303,7 +303,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -336,7 +336,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -362,7 +362,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -394,7 +394,7 @@ spec: spec: initContainers: - name: container01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -415,7 +415,7 @@ spec: - SYS_ADMIN containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -439,7 +439,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -462,7 +462,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -490,7 +490,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -503,7 +503,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -514,7 +514,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -547,7 +547,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -575,7 +575,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -606,7 +606,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -639,7 +639,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -667,7 +667,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -700,7 +700,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -731,7 +731,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -764,7 +764,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -789,7 +789,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -818,7 +818,7 @@ spec: restartPolicy: OnFailure initContainers: - name: container01-init - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -839,7 +839,7 @@ spec: - SYS_ADMIN containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml index 6fb06a0ef..ec91895a4 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: podsecurity-subrule-restricted-capabilities status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml index 51cbeae27..a1ee0bcff 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.kyverno-test/resource.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:latest + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml index 3ef9995ca..8f6f5ceb5 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 4a35f7759f06a4a8881df10978d5c87f5a24994c10209512f8a81a05f7f2b0c0 +digest: e917468019277ed45ac963bb9c8623fda646a33eb49320716a565a3191c6cfb9 diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml index 6ff865a3c..8f466a1d7 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/restricted-exclude-capabilities.yaml @@ -20,7 +20,7 @@ metadata: exempting `nginx` and `redis` container images from the Capabilities control check. spec: background: true - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: restricted-exempt-capabilities match: @@ -35,5 +35,5 @@ spec: exclude: - controlName: Capabilities images: - - ghcr.io/kyverno/test-nginx* + - nginx* - redis* \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml index 912a6e4e2..25533518d 100755 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml index 9388cc1e2..7fe0e0bb5 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -22,7 +22,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -39,7 +39,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -56,7 +56,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -70,7 +70,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -92,7 +92,7 @@ spec: type: Unconfined initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -104,7 +104,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -115,7 +115,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -142,7 +142,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -164,7 +164,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -190,7 +190,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -214,7 +214,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true allowPrivilegeEscalation: false @@ -236,7 +236,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -261,7 +261,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -284,7 +284,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -301,7 +301,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -324,7 +324,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -350,7 +350,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml index daf2ff3c7..4713c8eda 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -25,7 +25,7 @@ spec: type: Unconfined initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -38,7 +38,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -47,7 +47,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -72,7 +72,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -94,7 +94,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -117,7 +117,7 @@ spec: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -144,7 +144,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -164,7 +164,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -188,7 +188,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -212,7 +212,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -238,7 +238,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -253,7 +253,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml index 9e5f97ec7..fb1c69140 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -40,7 +40,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -64,7 +64,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -88,7 +88,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -111,7 +111,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -142,7 +142,7 @@ spec: type: Unconfined initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -154,7 +154,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -165,7 +165,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -201,7 +201,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -232,7 +232,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -267,7 +267,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -298,7 +298,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true allowPrivilegeEscalation: false @@ -327,7 +327,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -359,7 +359,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -389,7 +389,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -413,7 +413,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -445,7 +445,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -480,7 +480,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -509,7 +509,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -535,7 +535,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -561,7 +561,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -587,7 +587,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -610,7 +610,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -641,7 +641,7 @@ spec: type: Unconfined initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -653,7 +653,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -664,7 +664,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -700,7 +700,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -729,7 +729,7 @@ spec: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -762,7 +762,7 @@ spec: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -793,7 +793,7 @@ spec: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true allowPrivilegeEscalation: false @@ -822,7 +822,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -852,7 +852,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -884,7 +884,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -910,7 +910,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -942,7 +942,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -977,7 +977,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml index 714a50fc9..5ff0bae32 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -43,7 +43,7 @@ spec: type: Unconfined initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -56,7 +56,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -65,7 +65,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -99,7 +99,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -128,7 +128,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -160,7 +160,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -196,7 +196,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -225,7 +225,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -258,7 +258,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -287,7 +287,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -318,7 +318,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -342,7 +342,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -369,7 +369,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -392,7 +392,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:dontpull + image: nginx:dontpull securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -420,7 +420,7 @@ spec: type: Unconfined initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -433,7 +433,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -444,7 +444,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -477,7 +477,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -505,7 +505,7 @@ spec: type: Unconfined containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -534,7 +534,7 @@ spec: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -565,7 +565,7 @@ spec: runAsUser: 1 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -591,7 +591,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -622,7 +622,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -653,7 +653,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -686,7 +686,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -709,7 +709,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml index 876cd8bb0..875efe127 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: podsecurity-subrule-restricted-seccomp status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml index 649d512d8..82ac9a273 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 1b88f3c697aa61054f3a4b890e83c63258da6e1267d450844f3e8c87c374f91d +digest: c5b83d86fd4a976412f4bbb1bd732f487d7c0ce37958f1fa41cf33cd12dd71d1 diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml index ad7bf8b68..886eca9e6 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/restricted-exclude-seccomp.yaml @@ -20,7 +20,7 @@ metadata: completely exempting Seccomp control check. spec: background: true - validationFailureAction: Enforce + validationFailureAction: enforce rules: - name: restricted-exempt-seccomp match: diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml index aad179a5b..03e743584 100755 --- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: podsecurity-subrule-restricted status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml index bb72b8569..9a8127221 100755 --- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restricted-latest.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: podsecurity-subrule-restricted - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restricted-latest.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: podsecurity-subrule-restricted diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml index 721b624de..911207ea4 100644 --- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -22,7 +22,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -39,7 +39,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -56,7 +56,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -70,7 +70,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -92,7 +92,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -104,7 +104,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -115,7 +115,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -142,7 +142,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -164,7 +164,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -190,7 +190,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -214,7 +214,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true allowPrivilegeEscalation: false @@ -236,7 +236,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -261,7 +261,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -284,7 +284,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -301,7 +301,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -324,7 +324,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -350,7 +350,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml index 0ebfab8a2..89679f823 100644 --- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -27,7 +27,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -40,7 +40,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -51,7 +51,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -78,7 +78,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -100,7 +100,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -125,7 +125,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -152,7 +152,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -174,7 +174,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -200,7 +200,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -224,7 +224,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -250,7 +250,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -267,7 +267,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml index 9a35e7f8d..5f75cf3ee 100644 --- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -40,7 +40,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -66,7 +66,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -92,7 +92,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -115,7 +115,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -146,7 +146,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -158,7 +158,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -169,7 +169,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -205,7 +205,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -236,7 +236,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -271,7 +271,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -304,7 +304,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true allowPrivilegeEscalation: false @@ -335,7 +335,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -369,7 +369,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -401,7 +401,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -427,7 +427,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -459,7 +459,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -494,7 +494,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u @@ -523,7 +523,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: true runAsNonRoot: true @@ -549,7 +549,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: false @@ -575,7 +575,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -601,7 +601,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -624,7 +624,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsUser: 0 @@ -655,7 +655,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -667,7 +667,7 @@ spec: add: - SYS_NET_ADMIN - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -678,7 +678,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -714,7 +714,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -745,7 +745,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -780,7 +780,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: windowsOptions: hostProcess: true @@ -813,7 +813,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: true allowPrivilegeEscalation: false @@ -844,7 +844,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: type: container_engine_t @@ -876,7 +876,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -908,7 +908,7 @@ spec: value: "4" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -934,7 +934,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -966,7 +966,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -1001,7 +1001,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: user: sysadm_u diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml index c1d89e95e..e0f0d3f8a 100644 --- a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -45,7 +45,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -58,7 +58,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -69,7 +69,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -105,7 +105,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -136,7 +136,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -170,7 +170,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -206,7 +206,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -237,7 +237,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -272,7 +272,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -303,7 +303,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -336,7 +336,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -362,7 +362,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -392,7 +392,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -415,7 +415,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-nginx:1.1.9 + image: nginx:1.1.9 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -443,7 +443,7 @@ spec: type: RuntimeDefault initContainers: - name: init-container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -456,7 +456,7 @@ spec: add: - NET_BIND_SERVICE - name: init-container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -467,7 +467,7 @@ spec: - ALL containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -500,7 +500,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -528,7 +528,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -559,7 +559,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 ports: - name: web-insecure containerPort: 8080 @@ -592,7 +592,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: privileged: false allowPrivilegeEscalation: false @@ -620,7 +620,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: seLinuxOptions: level: "s0:c123,c456" @@ -653,7 +653,7 @@ spec: type: RuntimeDefault containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -684,7 +684,7 @@ spec: localhostProfile: operator/default/profile1.json containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -717,7 +717,7 @@ spec: value: "1 0" containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -742,7 +742,7 @@ spec: runAsNonRoot: true containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: allowPrivilegeEscalation: false runAsNonRoot: true diff --git a/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml b/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml index 0e95f38cc..6b0d6a395 100644 --- a/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml +++ b/pod-security/subrule/restricted/restricted-latest/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Pod Security, EKS Best Practices" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 7fea2befa6f0012dd9c61407974aba41d582e75160a18f8639b5a861e03b28f7 +digest: 80554d63be98bc08dafdc5373c2763db38fead447b83ac4d9b1ac3209d98279b diff --git a/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml b/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml index 8cf8d6b96..e66589439 100644 --- a/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml +++ b/pod-security/subrule/restricted/restricted-latest/restricted-latest.yaml @@ -18,7 +18,7 @@ metadata: restricted profile through the latest version of the Pod Security Standards cluster wide. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: restricted match: diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml deleted file mode 100644 index ed3b2044c..000000000 --- a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: add-psa-namespace-reporting -spec: - steps: - - name: apply-policy - try: - - apply: - file: ../add-psa-namespace-reporting.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: add-psa-namespace-reporting - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: apply-policy-test - try: - - apply: - file: namespace-with-psa-labels.yaml - - apply: - expect: - - check: - ($error != null): true - file: namespace-without-psa-labels.yaml diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml deleted file mode 100644 index e94a09e9a..000000000 --- a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - pod-security.kubernetes.io/enforce: "privileged" \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml deleted file mode 100644 index 7956df12c..000000000 --- a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test-fail \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index b9a1d6b21..000000000 --- a/psa-cel/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-psa-namespace-reporting -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - - - - diff --git a/psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml b/psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 513ac0fe8..000000000 --- a/psa-cel/add-psa-namespace-reporting/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: add-psa-namespace-reporting-tests -policies: -- ../add-psa-namespace-reporting.yaml -resources: -- namespace-with-psa-labels.yaml -- namespace-without-psa-labels.yaml -results: - - kind: Namespace - policy: add-psa-namespace-reporting - resources: - - test - rule: check-namespace-labels - result: pass - - kind: Namespace - policy: add-psa-namespace-reporting - resources: - - test-fail - rule: check-namespace-labels - result: fail \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml deleted file mode 100644 index e94a09e9a..000000000 --- a/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - pod-security.kubernetes.io/enforce: "privileged" \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml b/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml deleted file mode 100644 index 7956df12c..000000000 --- a/psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test-fail \ No newline at end of file diff --git a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml deleted file mode 100644 index 7d0d53480..000000000 --- a/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: add-psa-namespace-reporting - annotations: - policies.kyverno.io/title: Add PSA Namespace Reporting in CEL expressions - policies.kyverno.io/category: Pod Security Admission, EKS Best Practices in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Namespace - policies.kyverno.io/description: >- - This policy is valuable as it ensures that all namespaces within a Kubernetes - cluster are labeled with Pod Security Admission (PSA) labels, which are crucial - for defining security levels and ensuring that pods within a namespace operate - under the defined Pod Security Standard (PSS). By enforcing namespace labeling, - This policy audits namespaces to verify the presence of PSA labels. - If a namespace is found without the required labels, it generates and maintain - and ClusterPolicy Report in default namespace. - This helps administrators identify namespaces that do not comply with the - organization's security practices and take appropriate action to rectify the - situation. -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-namespace-labels - match: - any: - - resources: - kinds: - - Namespace - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.metadata.?labels.orValue([]).exists(label, label.startsWith('pod-security.kubernetes.io/') && object.metadata.labels[label] != '')" - message: This Namespace is missing a PSA label. - diff --git a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml deleted file mode 100644 index c24135339..000000000 --- a/psa-cel/add-psa-namespace-reporting/artifacthub-pkg.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: add-psa-namespace-reporting-cel -version: 1.0.0 -displayName: Add PSA Namespace Reporting in CEL expressions -description: >- - This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa-cel/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml - ``` -keywords: - - kyverno - - Pod Security Admission - - EKS Best Practices - - CEL Expressions -readme: | - This policy is valuable as it ensures that all namespaces within a Kubernetes cluster are labeled with Pod Security Admission (PSA) labels, which are crucial for defining security levels and ensuring that pods within a namespace operate under the defined Pod Security Standard (PSS). By enforcing namespace labeling, This policy audits namespaces to verify the presence of PSA labels. If a namespace is found without the required labels, it generates and maintain and ClusterPolicy Report in default namespace. This helps administrators identify namespaces that do not comply with the organization's security practices and take appropriate action to rectify the situation. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Pod Security Admission, EKS Best Practices in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Namespace" -digest: f2682d998f335ebf99b534234213b491bfcb760ba7438b3d198efc2f14e86cdc -createdAt: "2024-05-22T08:30:28Z" diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 3a62388b2..000000000 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,98 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: deny-privileged-profile -spec: - steps: - - name: step-01 - try: - - apply: - file: ../deny-privileged-profile.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deny-privileged-profile - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - script: - content: | - #!/bin/bash - set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp - export USERNAME=denyprivilegeduser - export CA=ca.crt - #### Get CA certificate from kubeconfig assuming it's the first in the list. - kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt - #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. - CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" - #### Set CLUSTER from kubeconfig assuming it's the first in the list. - CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" - #### Generate private key - openssl genrsa -out $USERNAME.key 2048 - #### Create CSR - openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" - #### Send CSR to kube-apiserver for approval - cat < $USERNAME.crt - #### - #### Create the credential object and output the new kubeconfig file - kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs - #### Set the context - kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER - # Delete CSR - kubectl delete csr $USERNAME - - apply: - file: cr.yaml - - apply: - file: crb.yaml - - script: - content: | - #!/bin/bash - set -eu - export KUBECONFIG=./temp - kubectl --context=denyprivilegeduser-context create -f ns-good.yaml - - script: - content: | - #!/bin/bash - set -eu - export KUBECONFIG=./temp - if kubectl --context=denyprivilegeduser-context create -f ns-bad.yaml; then exit 1; else exit 0; fi - - sleep: - duration: 5s - finally: - - script: - content: kubectl delete -f ns-good.yaml --ignore-not-found - - script: - content: kubectl delete -f ns-bad.yaml --ignore-not-found - - script: - content: | - set -e - rm ./temp - - name: step-05 - try: - - apply: - file: ns-good.yaml - - apply: - file: ns-bad.yaml diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/cr.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/cr.yaml deleted file mode 100755 index f39afe9fc..000000000 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/cr.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ns-deleter -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - create diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/crb.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/crb.yaml deleted file mode 100755 index 1f3cc8101..000000000 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/crb.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ns-deleter:denyprivilegeduser -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ns-deleter -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: denyprivilegeduser diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml deleted file mode 100644 index 21f29bb8b..000000000 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/ns-bad.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - pod-security.kubernetes.io/enforce: privileged - name: deny-privileged-bad-ns01 ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - pod-security.kubernetes.io/enforce: privileged - foo: bar - name: deny-privileged-bad-ns02 \ No newline at end of file diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml deleted file mode 100644 index f760fac2c..000000000 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/ns-good.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - pod-security.kubernetes.io/enforce: baseline - name: deny-privileged-good-ns01 ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - foo: bar - name: deny-privileged-good-ns02 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: deny-privileged-good-ns03 \ No newline at end of file diff --git a/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml b/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 3ea142941..000000000 --- a/psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deny-privileged-profile -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml b/psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 6d26b1d82..000000000 --- a/psa-cel/deny-privileged-profile/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: deny-privileged-profile -policies: -- ../deny-privileged-profile.yaml -resources: -- ../.chainsaw-test/ns-bad.yaml -results: -- policy: deny-privileged-profile - rule: check-privileged - kind: Namespace - resources: - - deny-privileged-bad-ns01 - - deny-privileged-bad-ns02 - result: fail \ No newline at end of file diff --git a/psa-cel/deny-privileged-profile/artifacthub-pkg.yml b/psa-cel/deny-privileged-profile/artifacthub-pkg.yml deleted file mode 100644 index 0a78df882..000000000 --- a/psa-cel/deny-privileged-profile/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: deny-privileged-profile-cel -version: 1.0.0 -displayName: Deny Privileged Profile in CEL expressions -description: >- - When Pod Security Admission (PSA) is enforced at the cluster level via an AdmissionConfiguration file which defines a default level at baseline or restricted, setting of a label at the `privileged` profile will effectively cause unrestricted workloads in that Namespace, overriding the cluster default. This may effectively represent a circumvention attempt and should be closely controlled. This policy ensures that only those holding the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml - ``` -keywords: - - kyverno - - Pod Security Admission - - CEL Expressions -readme: | - When Pod Security Admission (PSA) is enforced at the cluster level via an AdmissionConfiguration file which defines a default level at baseline or restricted, setting of a label at the `privileged` profile will effectively cause unrestricted workloads in that Namespace, overriding the cluster default. This may effectively represent a circumvention attempt and should be closely controlled. This policy ensures that only those holding the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Pod Security Admission in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Namespace" -digest: a8eb6c291f91e8ebd2535712413432e0659f2839c0929334e5f69a883506d85a -createdAt: "2024-05-22T08:35:47Z" diff --git a/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml b/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml deleted file mode 100644 index f01dddfee..000000000 --- a/psa-cel/deny-privileged-profile/deny-privileged-profile.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: deny-privileged-profile - annotations: - policies.kyverno.io/title: Deny Privileged Profile in CEL expressions - policies.kyverno.io/category: Pod Security Admission in CEL expressions - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Namespace - policies.kyverno.io/description: >- - When Pod Security Admission (PSA) is enforced at the cluster level - via an AdmissionConfiguration file which defines a default level at - baseline or restricted, setting of a label at the `privileged` profile - will effectively cause unrestricted workloads in that Namespace, overriding - the cluster default. This may effectively represent a circumvention attempt - and should be closely controlled. This policy ensures that only those holding - the cluster-admin ClusterRole may create Namespaces which assign the label - `pod-security.kubernetes.io/enforce=privileged`. -spec: - validationFailureAction: Audit - background: false - rules: - - name: check-privileged - match: - any: - - resources: - kinds: - - Namespace - selector: - matchLabels: - pod-security.kubernetes.io/enforce: privileged - exclude: - any: - - clusterRoles: - - cluster-admin - validate: - cel: - expressions: - - expression: "false" - message: Only cluster-admins may create Namespaces that allow setting the privileged level. - diff --git a/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml index 7e4826bda..2e28b2966 100755 --- a/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml +++ b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml index 46908e117..01867dc1a 100644 --- a/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml +++ b/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml @@ -3,7 +3,4 @@ kind: ClusterPolicy metadata: name: add-privileged-existing-namespaces status: - conditions: - - reason: Succeeded - status: "True" - type: Ready + ready: true \ No newline at end of file diff --git a/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml b/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml index a93a11ad2..aa82b737a 100755 --- a/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml +++ b/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml b/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml index 2cf0d32e9..622a18a59 100644 --- a/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml +++ b/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: add-psa-labels status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml index ed3b2044c..7d09b0d11 100644 --- a/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml +++ b/psa/add-psa-namespace-reporting/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: apply-policy try: - - apply: - file: ../add-psa-namespace-reporting.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: add-psa-namespace-reporting - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../add-psa-namespace-reporting.yaml | kubectl create -f - - assert: file: policy-ready.yaml - name: apply-policy-test @@ -29,3 +21,12 @@ spec: - check: ($error != null): true file: namespace-without-psa-labels.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: add-psa-namespace-reporting + + diff --git a/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml index b9a1d6b21..cfb6ab67a 100644 --- a/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml +++ b/psa/add-psa-namespace-reporting/.chainsaw-test/policy-ready.yaml @@ -3,11 +3,7 @@ kind: ClusterPolicy metadata: name: add-psa-namespace-reporting status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml index aa2652863..15b830f10 100644 --- a/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml +++ b/psa/add-psa-namespace-reporting/add-psa-namespace-reporting.yaml @@ -22,7 +22,7 @@ metadata: organization's security practices and take appropriate action to rectify the situation. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-namespace-labels diff --git a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml index a630d7f76..00f936a11 100644 --- a/psa/add-psa-namespace-reporting/artifacthub-pkg.yml +++ b/psa/add-psa-namespace-reporting/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Pod Security Admission, EKS Best Practices" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Namespace" -digest: bef9af61af8383e43369256e922ca3405b2b1170f6e79ef215cefd4f49aed6f5 +digest: 9f900e576158a5cff2e07404794add182859bfc6d881682af3490381abe6b434 diff --git a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 3ea142941..93dfa2f2d 100755 --- a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: deny-privileged-profile status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml index 0b6b37692..ae5f3ca4a 100755 --- a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml +++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../deny-privileged-profile.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: deny-privileged-profile - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../deny-privileged-profile.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -26,8 +18,6 @@ spec: content: | #!/bin/bash set -eu - cp $KUBECONFIG temp - export KUBECONFIG=./temp export USERNAME=denyprivilegeduser export CA=ca.crt #### Get CA certificate from kubeconfig assuming it's the first in the list. @@ -63,36 +53,56 @@ spec: kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER # Delete CSR kubectl delete csr $USERNAME + - name: step-03 + try: - apply: file: chainsaw-step-03-apply-1.yaml - apply: file: chainsaw-step-03-apply-2.yaml + - name: step-04 + try: + - command: + args: + - --context=denyprivilegeduser-context + - create + - -f + - ns-good.yaml + entrypoint: kubectl - script: - content: | - #!/bin/bash - set -eu - export KUBECONFIG=./temp - kubectl --context=denyprivilegeduser-context create -f ns-good.yaml - - script: - content: | - #!/bin/bash - set -eu - export KUBECONFIG=./temp - if kubectl --context=denyprivilegeduser-context create -f ns-bad.yaml; then exit 1; else exit 0; fi - - sleep: - duration: 5s - finally: - - script: - content: kubectl delete -f ns-good.yaml --ignore-not-found - - script: - content: kubectl delete -f ns-bad.yaml --ignore-not-found - - script: - content: | - set -e - rm ./temp + content: if kubectl --context=denyprivilegeduser-context create -f ns-bad.yaml; + then exit 1; else exit 0; fi + - command: + args: + - delete + - -f + - ns-good.yaml + entrypoint: kubectl + - command: + args: + - "5" + entrypoint: sleep - name: step-05 try: - apply: file: ns-good.yaml - apply: file: ns-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: deny-privileged-profile + - command: + args: + - config + - unset + - users.denyprivilegeduser + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.denyprivilegeduser-context + entrypoint: kubectl diff --git a/psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml b/psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 6d26b1d82..000000000 --- a/psa/deny-privileged-profile/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: deny-privileged-profile -policies: -- ../deny-privileged-profile.yaml -resources: -- ../.chainsaw-test/ns-bad.yaml -results: -- policy: deny-privileged-profile - rule: check-privileged - kind: Namespace - resources: - - deny-privileged-bad-ns01 - - deny-privileged-bad-ns02 - result: fail \ No newline at end of file diff --git a/psa/deny-privileged-profile/artifacthub-pkg.yml b/psa/deny-privileged-profile/artifacthub-pkg.yml index 94fd84b99..f9742ec5f 100644 --- a/psa/deny-privileged-profile/artifacthub-pkg.yml +++ b/psa/deny-privileged-profile/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Pod Security Admission" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Namespace" -digest: d203db4076926737e39f08bb5f4e4b41e665e89e88352fe5b2ae4685b59a5ef3 +digest: e417c381e1aa9fd3778b37c09cfdccb87b0de20ee16ac4034496283f4fa859ac diff --git a/psa/deny-privileged-profile/deny-privileged-profile.yaml b/psa/deny-privileged-profile/deny-privileged-profile.yaml index a3e0dc64c..a7f108555 100644 --- a/psa/deny-privileged-profile/deny-privileged-profile.yaml +++ b/psa/deny-privileged-profile/deny-privileged-profile.yaml @@ -20,7 +20,7 @@ metadata: the cluster-admin ClusterRole may create Namespaces which assign the label `pod-security.kubernetes.io/enforce=privileged`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-privileged diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 2d0f56c6b..000000000 --- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: check-supplemental-groups -spec: - steps: - - name: step-01 - try: - - apply: - file: ../check-supplemental-groups.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: psp-check-supplemental-groups - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index cb9c8bee7..000000000 --- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - securityContext: - supplementalGroups: - - 120 - - 230 - - 550 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 -spec: - securityContext: - supplementalGroups: - - 1000 - - 120 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 -spec: - securityContext: - runAsGroup: 0 - supplementalGroups: - - 580 - - 0 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod04 -spec: - securityContext: - supplementalGroups: - - 100 - - 601 - - 600 - runAsGroup: 0 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 79894baf2..000000000 --- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 -spec: - securityContext: - supplementalGroups: - - 150 - - 100 - - 500 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 -spec: - securityContext: - supplementalGroups: - - 550 - - 600 - - 120 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod04 -spec: - securityContext: - runAsGroup: 0 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod05 -spec: - securityContext: - supplementalGroups: - - 600 - runAsGroup: 0 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 0e0934d3b..000000000 --- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - securityContext: - supplementalGroups: - - 100 - - 601 - - 600 - runAsGroup: 0 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - securityContext: - supplementalGroups: - - 1000 - - 120 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 1e05f2afc..000000000 --- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - securityContext: - supplementalGroups: - - 150 - - 100 - - 500 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - securityContext: - supplementalGroups: - - 550 - - 600 - - 120 - containers: - - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml b/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 7d430ec06..000000000 --- a/psp-migration-cel/check-supplemental-groups/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: psp-check-supplemental-groups -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/psp-migration-cel/check-supplemental-groups/.kyverno-test/kyverno-test.yaml b/psp-migration-cel/check-supplemental-groups/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 35f4b1eb9..000000000 --- a/psp-migration-cel/check-supplemental-groups/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: psp-check-supplemental-groups -policies: -- ../check-supplemental-groups.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: psp-check-supplemental-groups - resources: - - badpod01 - result: fail - rule: supplementalgroup-ranges -- kind: Pod - policy: psp-check-supplemental-groups - resources: - - goodpod01 - result: pass - rule: supplementalgroup-ranges diff --git a/psp-migration-cel/check-supplemental-groups/.kyverno-test/resource.yaml b/psp-migration-cel/check-supplemental-groups/.kyverno-test/resource.yaml deleted file mode 100644 index d7c4dc51f..000000000 --- a/psp-migration-cel/check-supplemental-groups/.kyverno-test/resource.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: - - 0 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - supplementalGroups: - - 100 diff --git a/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml b/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml deleted file mode 100644 index 406e93a6a..000000000 --- a/psp-migration-cel/check-supplemental-groups/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: check-supplemental-groups-cel -version: 1.0.0 -displayName: Check supplementalGroups in CEL expressions -description: >- - Supplemental groups control which group IDs containers add and can coincide with restricted groups on the host. Pod Security Policies (PSP) allowed a range of these group IDs to be specified which were allowed. This policy ensures any Pod may only specify supplementalGroup IDs between 100-200 or 500-600. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml - ``` -keywords: - - kyverno - - PSP Migration - - CEL Expressions -readme: | - Supplemental groups control which group IDs containers add and can coincide with restricted groups on the host. Pod Security Policies (PSP) allowed a range of these group IDs to be specified which were allowed. This policy ensures any Pod may only specify supplementalGroup IDs between 100-200 or 500-600. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "PSP Migration in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 8cd53a2a3b47f9847eb4acd6902c92a704e5f0d257354ee722f4d4d3808359ea -createdAt: "2024-05-23T13:57:56Z" diff --git a/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml b/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml deleted file mode 100644 index c8d57dff1..000000000 --- a/psp-migration-cel/check-supplemental-groups/check-supplemental-groups.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: psp-check-supplemental-groups - annotations: - policies.kyverno.io/title: Check supplementalGroups in CEL expressions - policies.kyverno.io/category: PSP Migration in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Supplemental groups control which group IDs containers add and can coincide with - restricted groups on the host. Pod Security Policies (PSP) allowed a range of - these group IDs to be specified which were allowed. This policy ensures any Pod - may only specify supplementalGroup IDs between 100-200 or 500-600. -spec: - background: false - validationFailureAction: Audit - rules: - - name: supplementalgroup-ranges - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.?securityContext.?supplementalGroups.orValue([]).all(supplementalGroup, (supplementalGroup >= 100 && supplementalGroup <= 200) || (supplementalGroup >= 500 && supplementalGroup <= 600)) - message: Any supplementalGroup ID must be within the range 100-200 or 500-600. - diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 537dcecd5..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-adding-capabilities -spec: - # disable templating because it can cause issues with CEL expressions - template: false - steps: - - name: step-01 - try: - - apply: - file: ../restrict-adding-capabilities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: psp-restrict-adding-capabilities - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index a9fecbc5d..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,177 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- \ No newline at end of file diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml deleted file mode 100644 index e1cea6c10..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,148 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod01 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod02 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod03 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod04 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod05 -spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index a598ea012..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,308 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - CAP_CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: baddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SYS_ADMIN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - CAP_CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - - CAP_CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SETGID ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: badcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_RAW - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - SYS_ADMIN ---- \ No newline at end of file diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 5c5c8c0fc..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,267 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment03 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment04 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment05 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gooddeployment06 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob03 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob04 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob05 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goodcronjob06 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 - securityContext: - capabilities: - add: - - CAP_CHOWN diff --git a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml b/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 98bd55441..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: psp-restrict-adding-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/psp-migration-cel/restrict-adding-capabilities/.kyverno-test/kyverno-test.yaml b/psp-migration-cel/restrict-adding-capabilities/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 4c94d8b92..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: psp-restrict-adding-capabilities -policies: -- ../restrict-adding-capabilities.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - - addcap-badpod01 - - addcap-badpod02 - - addcap-badpod03 - - addcap-badpod04 - - addcap-badpod05 - - addcap-badpod06 - - addcap-badpod07 - - addcap-badpod08 - - addcap-badpod09 - - addcap-badpod10 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - - addcap-goodpod01 - - addcap-goodpod02 - - addcap-goodpod03 - - addcap-goodpod04 - - addcap-goodpod05 - - addcap-goodpod06 - - addcap-goodpod07 - - addcap-goodpod08 - - addcap-goodpod09 - - addcap-goodpod10 - result: pass - rule: allowed-capabilities diff --git a/psp-migration-cel/restrict-adding-capabilities/.kyverno-test/resource.yaml b/psp-migration-cel/restrict-adding-capabilities/.kyverno-test/resource.yaml deleted file mode 100644 index af86fceb7..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/.kyverno-test/resource.yaml +++ /dev/null @@ -1,328 +0,0 @@ -###### Pods - Bad ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod01 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod04 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-badpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - CHOWN - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -###### Pods - Good -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod01 -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod02 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod03 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod04 -spec: - containers: - - name: container01 - image: dummyimagename - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod05 -spec: - containers: - - name: container01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: container02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod06 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod07 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod08 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod09 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: addcap-goodpod10 -spec: - initContainers: - - name: initcontainer01 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - - name: initcontainer02 - image: dummyimagename - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - containers: - - name: container01 - image: dummyimagename diff --git a/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml b/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml deleted file mode 100644 index e3a9e69a3..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: restrict-adding-capabilities-cel -version: 1.0.0 -displayName: Restrict Adding Capabilities in CEL expressions -description: >- - Adding capabilities is a way for containers in a Pod to request higher levels of ability than those with which they may be provisioned. Many capabilities allow system-level control and should be prevented. Pod Security Policies (PSP) allowed a list of "good" capabilities to be added. This policy checks ephemeralContainers, initContainers, and containers to ensure the only capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml - ``` -keywords: - - kyverno - - PSP Migration - - CEL Expressions -readme: | - Adding capabilities is a way for containers in a Pod to request higher levels of ability than those with which they may be provisioned. Many capabilities allow system-level control and should be prevented. Pod Security Policies (PSP) allowed a list of "good" capabilities to be added. This policy checks ephemeralContainers, initContainers, and containers to ensure the only capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "PSP Migration in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: ff4483e54ede27fe5d6ef217725ee7d2b40bc0fe7fb16398919783f6bdce6a3e -createdAt: "2024-05-23T14:18:49Z" diff --git a/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml b/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml deleted file mode 100644 index 42b9b5a99..000000000 --- a/psp-migration-cel/restrict-adding-capabilities/restrict-adding-capabilities.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: psp-restrict-adding-capabilities - annotations: - policies.kyverno.io/title: Restrict Adding Capabilities in CEL expressions - policies.kyverno.io/category: PSP Migration in CEL - policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - Adding capabilities is a way for containers in a Pod to request higher levels - of ability than those with which they may be provisioned. Many capabilities - allow system-level control and should be prevented. Pod Security Policies (PSP) - allowed a list of "good" capabilities to be added. This policy checks - ephemeralContainers, initContainers, and containers to ensure the only - capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN. -spec: - validationFailureAction: Audit - background: true - rules: - - name: allowed-capabilities - match: - any: - - resources: - kinds: - - Pod - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - - name: allowedCapabilities - expression: "['NET_BIND_SERVICE', 'CAP_CHOWN']" - expressions: - - expression: >- - variables.allContainers.all(container, - container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability in variables.allowedCapabilities)) - message: >- - Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed. - diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/bad-pods.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/bad-pods.yaml deleted file mode 100644 index 6dee8ab8a..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/bad-pods.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: restrict-runtimeclassname -spec: - runtimeClassName: fooclass - containers: - - name: container01 - image: dummyimagename \ No newline at end of file diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index e42476abe..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: restrict-runtimeclassname -spec: - steps: - - name: step-00 - try: - - apply: - file: ../restrict-runtimeClassName.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-runtimeclass - spec: - validationFailureAction: Enforce - - name: step-01 - try: - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: ns.yaml - - apply: - file: runtimeclass-prod.yaml - - apply: - file: runtimeclass-exp.yaml - - apply: - file: runtimeclass-foo.yaml - - name: step-03 - try: - - apply: - file: good-pods.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pods.yaml diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/good-pods.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/good-pods.yaml deleted file mode 100644 index 475c030e4..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/good-pods.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: restrict-runtimeclassname -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - namespace: restrict-runtimeclassname -spec: - runtimeClassName: expclass - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - namespace: restrict-runtimeclassname -spec: - runtimeClassName: prodclass - containers: - - name: container01 - image: dummyimagename diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/ns.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/ns.yaml deleted file mode 100755 index 121c85370..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/ns.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: restrict-runtimeclassname diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml deleted file mode 100644 index 126968a0f..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-runtimeclass -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready \ No newline at end of file diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-exp.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-exp.yaml deleted file mode 100755 index 0318454a0..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-exp.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: node.k8s.io/v1 -handler: expconfig -kind: RuntimeClass -metadata: - name: expclass diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-foo.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-foo.yaml deleted file mode 100755 index 6d03f568e..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-foo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: node.k8s.io/v1 -handler: fooconfig -kind: RuntimeClass -metadata: - name: fooclass diff --git a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-prod.yaml b/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-prod.yaml deleted file mode 100755 index 5616c1916..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-prod.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: node.k8s.io/v1 -handler: prodconfig -kind: RuntimeClass -metadata: - name: prodclass diff --git a/psp-migration-cel/restrict-runtimeClassName/.kyverno-test/kyverno-test.yaml b/psp-migration-cel/restrict-runtimeClassName/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index faa23c777..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: restrict-runtimeclass -policies: -- ../restrict-runtimeClassName.yaml -resources: -- resource.yaml -results: -- kind: Pod - policy: restrict-runtimeclass - resources: - - badpod01 - result: fail - rule: prodclass-or-expclass -- kind: Pod - policy: restrict-runtimeclass - resources: - - goodpod01 - - goodpod02 - - goodpod03 - result: pass - rule: prodclass-or-expclass diff --git a/psp-migration-cel/restrict-runtimeClassName/.kyverno-test/resource.yaml b/psp-migration-cel/restrict-runtimeClassName/.kyverno-test/resource.yaml deleted file mode 100644 index 2820962a2..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/.kyverno-test/resource.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: restrict-runtimeclassname -spec: - runtimeClassName: fooclass - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: restrict-runtimeclassname -spec: - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - namespace: restrict-runtimeclassname -spec: - runtimeClassName: expclass - containers: - - name: container01 - image: dummyimagename ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - namespace: restrict-runtimeclassname -spec: - runtimeClassName: prodclass - containers: - - name: container01 - image: dummyimagename diff --git a/psp-migration-cel/restrict-runtimeClassName/artifacthub-pkg.yml b/psp-migration-cel/restrict-runtimeClassName/artifacthub-pkg.yml deleted file mode 100644 index 08f856608..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: restrict-runtimeclass-cel -version: 1.0.0 -displayName: Restrict runtimeClass in CEL expressions -description: >- - The runtimeClass field of a Pod spec defines which container engine runtime should be used. In the previous Pod Security Policy controller, defining restrictions on which classes were allowed was permitted. Limiting runtime classes to only those which have been defined can prevent unintended running states or Pods which may not come online. This policy restricts the runtimeClass field to the values `prodclass` or `expclass`. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/psp-migration-cel/restrict-runtimeClassName/restrict-runtimeClassName.yaml - ``` -keywords: - - kyverno - - PSP Migration - - CEL Expressions -readme: | - The runtimeClass field of a Pod spec defines which container engine runtime should be used. In the previous Pod Security Policy controller, defining restrictions on which classes were allowed was permitted. Limiting runtime classes to only those which have been defined can prevent unintended running states or Pods which may not come online. This policy restricts the runtimeClass field to the values `prodclass` or `expclass`. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "PSP Migration in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Pod" -digest: 7bbfbc460b7977c74d198e76f96419f6415141ad08f53819f6c3643b9e1e7ab0 -createdAt: "2024-05-23T14:25:37Z" diff --git a/psp-migration-cel/restrict-runtimeClassName/restrict-runtimeClassName.yaml b/psp-migration-cel/restrict-runtimeClassName/restrict-runtimeClassName.yaml deleted file mode 100644 index 1dd8abbc8..000000000 --- a/psp-migration-cel/restrict-runtimeClassName/restrict-runtimeClassName.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-runtimeclass - annotations: - policies.kyverno.io/title: Restrict runtimeClass in CEL expressions - policies.kyverno.io/category: PSP Migration in CEL - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.12.1 - kyverno.io/kubernetes-version: "1.26-1.27" - pod-policies.kyverno.io/autogen-controllers: none - policies.kyverno.io/description: >- - The runtimeClass field of a Pod spec defines which container engine runtime should be used. - In the previous Pod Security Policy controller, defining restrictions on which classes were allowed - was permitted. Limiting runtime classes to only those which have been defined can prevent - unintended running states or Pods which may not come online. This policy restricts the runtimeClass - field to the values `prodclass` or `expclass`. -spec: - validationFailureAction: Enforce - background: false - rules: - - name: prodclass-or-expclass - match: - any: - - resources: - kinds: - - Pod - celPreconditions: - - name: "operation-should-be-create" - expression: "request.operation == 'CREATE'" - validate: - cel: - expressions: - - expression: "!has(object.spec.runtimeClassName) || object.spec.runtimeClassName in ['prodclass', 'expclass']" - message: Only the runtime classes prodclass or expclass may be used. - diff --git a/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml b/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml index a55d974a7..96f13f49f 100755 --- a/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml +++ b/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/psp-migration/add-apparmor/add-apparmor.yaml b/psp-migration/add-apparmor/add-apparmor.yaml index ec49b1d49..3f7b7c39f 100644 --- a/psp-migration/add-apparmor/add-apparmor.yaml +++ b/psp-migration/add-apparmor/add-apparmor.yaml @@ -34,7 +34,7 @@ spec: - UPDATE mutate: foreach: - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + - list: request.object.spec.containers[] patchStrategicMerge: metadata: annotations: diff --git a/psp-migration/add-apparmor/artifacthub-pkg.yml b/psp-migration/add-apparmor/artifacthub-pkg.yml index 2f0105163..dc6493807 100644 --- a/psp-migration/add-apparmor/artifacthub-pkg.yml +++ b/psp-migration/add-apparmor/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "PSP Migration" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod,Annotation" -digest: 0bb624dce200ace9730d9ddf85c5aca5f1fcf61759412a672155e176f24d9ac7 +digest: 082461dca2f21839c429ac792fa4c8cb7a6a86639580345e124e541bf595332d diff --git a/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml b/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml index ffa7ab0be..c34382e8f 100755 --- a/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml +++ b/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/psp-migration/add-capabilities/add-capabilities.yaml b/psp-migration/add-capabilities/add-capabilities.yaml index be9ed33ca..a82c8732c 100644 --- a/psp-migration/add-capabilities/add-capabilities.yaml +++ b/psp-migration/add-capabilities/add-capabilities.yaml @@ -32,7 +32,7 @@ spec: - UPDATE mutate: foreach: - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + - list: request.object.spec.containers[] preconditions: all: - key: SETFCAP @@ -42,7 +42,7 @@ spec: - path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/- op: add value: SETFCAP - - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + - list: request.object.spec.containers[] preconditions: all: - key: SETUID diff --git a/psp-migration/add-capabilities/artifacthub-pkg.yml b/psp-migration/add-capabilities/artifacthub-pkg.yml index 15444a747..a02197558 100644 --- a/psp-migration/add-capabilities/artifacthub-pkg.yml +++ b/psp-migration/add-capabilities/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "PSP Migration" kyverno/kubernetesVersion: "1.24" kyverno/subject: "Pod" -digest: 59ac7efa86868c57372662bbb60ed75ca0af8255df05cfebee2d2c8809f1ce2d +digest: 5f25e343611f412f21608223ee89a3684280045469ce1053bc7a3418ee57a1c4 diff --git a/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml index 2f5a8cb04..4182fd496 100755 --- a/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml +++ b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 7d430ec06..d68e9bb1c 100755 --- a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: psp-check-supplemental-groups status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml index a78bb5ba0..60a6bfd92 100755 --- a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../check-supplemental-groups.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: psp-check-supplemental-groups - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../check-supplemental-groups.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: psp-check-supplemental-groups diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml index cb9c8bee7..295f13ed2 100644 --- a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml @@ -10,7 +10,7 @@ spec: - 550 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -23,7 +23,7 @@ spec: - 120 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -37,7 +37,7 @@ spec: - 0 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -52,4 +52,4 @@ spec: runAsGroup: 0 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml index 79894baf2..ccdb66190 100644 --- a/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -19,7 +19,7 @@ spec: - 500 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -33,7 +33,7 @@ spec: - 120 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -44,7 +44,7 @@ spec: runAsGroup: 0 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -57,4 +57,4 @@ spec: runAsGroup: 0 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml index 0e0934d3b..da4768b78 100644 --- a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml @@ -20,7 +20,7 @@ spec: runAsGroup: 0 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,4 +39,4 @@ spec: - 120 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml index 1e05f2afc..cbb26cae5 100644 --- a/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml @@ -19,7 +19,7 @@ spec: - 500 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -39,4 +39,4 @@ spec: - 120 containers: - name: busybox01 - image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file + image: busybox:1.35 \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/artifacthub-pkg.yml b/psp-migration/check-supplemental-groups/artifacthub-pkg.yml index fb9f9a670..0a3710df8 100644 --- a/psp-migration/check-supplemental-groups/artifacthub-pkg.yml +++ b/psp-migration/check-supplemental-groups/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "PSP Migration" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 0df6e6333f415231f233f4824d5c72cb89c81bc5617c4b721f26bc20060b9b77 +digest: f5ab7722d2b21ceee41c2069834148c0822d542ff21212d5def3c2b0b19265d1 diff --git a/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml b/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml index 8115a8e46..24c05a1fb 100644 --- a/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml +++ b/psp-migration/check-supplemental-groups/check-supplemental-groups.yaml @@ -17,7 +17,7 @@ metadata: may only specify supplementalGroup IDs between 100-200 or 500-600. spec: background: false - validationFailureAction: Audit + validationFailureAction: audit rules: - name: supplementalgroup-ranges match: diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 98bd55441..e870f077e 100755 --- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: psp-restrict-adding-capabilities status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml index 36451600a..2a8994667 100755 --- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-01 try: - - apply: - file: ../restrict-adding-capabilities.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: psp-restrict-adding-capabilities - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-adding-capabilities.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -36,3 +28,10 @@ spec: - check: ($error != null): true file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: psp-restrict-adding-capabilities diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml index a9fecbc5d..9d97c06bf 100644 --- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -18,7 +18,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -32,9 +32,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -47,13 +47,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -66,13 +66,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -86,14 +86,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -102,7 +102,7 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -110,7 +110,7 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -119,16 +119,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -137,20 +137,20 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -159,13 +159,13 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -173,5 +173,5 @@ spec: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- \ No newline at end of file diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml index e1cea6c10..8b77e2a79 100644 --- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -14,7 +14,7 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -27,9 +27,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -38,9 +38,9 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -53,13 +53,13 @@ metadata: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -72,10 +72,10 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -84,14 +84,14 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -100,12 +100,12 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -114,16 +114,16 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: v1 kind: Pod @@ -132,17 +132,17 @@ metadata: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml index a598ea012..4037cb574 100644 --- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -36,7 +36,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -59,13 +59,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -87,14 +87,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -116,16 +116,16 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -147,14 +147,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -173,7 +173,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -192,7 +192,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -212,13 +212,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -237,14 +237,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -264,9 +264,9 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 - name: initcontainer02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -274,7 +274,7 @@ spec: - CAP_CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -293,14 +293,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_RAW containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml index 5c5c8c0fc..8daee6250 100644 --- a/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -32,7 +32,7 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -54,13 +54,13 @@ spec: spec: containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - CAP_CHOWN - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -82,10 +82,10 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -103,14 +103,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - CAP_CHOWN containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: apps/v1 kind: Deployment @@ -128,14 +128,14 @@ spec: spec: initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -154,7 +154,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -169,7 +169,7 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -188,13 +188,13 @@ spec: restartPolicy: OnFailure containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE - name: container02 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: @@ -213,10 +213,10 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -231,14 +231,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 --- apiVersion: batch/v1 kind: CronJob @@ -253,14 +253,14 @@ spec: restartPolicy: OnFailure initContainers: - name: initcontainer01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: - NET_BIND_SERVICE containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 securityContext: capabilities: add: diff --git a/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml b/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml index f4e20a86e..2d1918052 100644 --- a/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml +++ b/psp-migration/restrict-adding-capabilities/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "PSP Migration" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: e57e9f84a3d4819cd640fb97e4c6189447e2c1e730f6114821a1da3381fc42ac +digest: 0b02be286162b2cd028b4fe9f3e261b1c948dd04404c783c51dc02ab69eb79ca diff --git a/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml b/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml index 9fc9618b4..27cc6ed3e 100644 --- a/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml +++ b/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities.yaml @@ -18,7 +18,7 @@ metadata: ephemeralContainers, initContainers, and containers to ensure the only capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: allowed-capabilities diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml index 2bcfcb4fb..6df1ac090 100755 --- a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml +++ b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -8,16 +7,9 @@ spec: steps: - name: step-00 try: - - apply: - file: ../restrict-runtimeClassName.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: restrict-runtimeclass - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-runtimeClassName.yaml | kubectl create -f - - name: step-01 try: - assert: @@ -41,3 +33,10 @@ spec: - check: ($error != null): true file: bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-runtimeclass diff --git a/tekton-cel/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml b/tekton-cel/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index c89a2230e..000000000 --- a/tekton-cel/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: block-tekton-task-runs -spec: - steps: - - name: step-00 - try: - - assert: - file: crd-assert.yaml - - name: step-01 - try: - - apply: - file: ../block-tekton-task-runs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-tekton-task-runs - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: taskrun.yaml diff --git a/tekton-cel/block-tekton-task-runs/.chainsaw-test/crd-assert.yaml b/tekton-cel/block-tekton-task-runs/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 2934ff501..000000000 --- a/tekton-cel/block-tekton-task-runs/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: taskruns.tekton.dev -spec: {} -status: - acceptedNames: - kind: TaskRun - plural: taskruns - singular: taskrun - storedVersions: - - v1 diff --git a/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml b/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 156082c75..000000000 --- a/tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: block-tekton-task-runs -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/tekton-cel/block-tekton-task-runs/.chainsaw-test/taskrun.yaml b/tekton-cel/block-tekton-task-runs/.chainsaw-test/taskrun.yaml deleted file mode 100644 index d25f69cb0..000000000 --- a/tekton-cel/block-tekton-task-runs/.chainsaw-test/taskrun.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: TaskRun -metadata: - name: taskrun01 -spec: - taskRef: - name: read-task \ No newline at end of file diff --git a/tekton-cel/block-tekton-task-runs/.kyverno-test/kyverno-test.yaml b/tekton-cel/block-tekton-task-runs/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index f98351850..000000000 --- a/tekton-cel/block-tekton-task-runs/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: block-tekton-task-runs -policies: -- ../block-tekton-task-runs.yaml -resources: -- ../.chainsaw-test/taskrun.yaml -results: -- policy: block-tekton-task-runs - rule: check-taskrun-user - kind: TaskRun - resources: - - taskrun01 - result: fail diff --git a/tekton-cel/block-tekton-task-runs/artifacthub-pkg.yml b/tekton-cel/block-tekton-task-runs/artifacthub-pkg.yml deleted file mode 100644 index 20a5fe972..000000000 --- a/tekton-cel/block-tekton-task-runs/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: block-tekton-task-runs-cel -version: 1.0.0 -displayName: Block Tekton TaskRun in CEL expressions -description: >- - Restrict creation of TaskRun resources to the Tekton pipelines controller. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/tekton-cel/block-tekton-task-runs/block-tekton-task-runs.yaml - ``` -keywords: - - kyverno - - Tekton - - CEL Expressions -readme: | - Restrict creation of TaskRun resources to the Tekton pipelines controller. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Tekton in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "TaskRun" -digest: 865b8ae10fc53e1bb258db975e122e386610b84cba4bbf7fa4549d93f3affca4 -createdAt: "2024-05-23T18:08:47Z" diff --git a/tekton-cel/block-tekton-task-runs/block-tekton-task-runs.yaml b/tekton-cel/block-tekton-task-runs/block-tekton-task-runs.yaml deleted file mode 100644 index f1f786b34..000000000 --- a/tekton-cel/block-tekton-task-runs/block-tekton-task-runs.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: block-tekton-task-runs - annotations: - policies.kyverno.io/title: Block Tekton TaskRun in CEL expressions - policies.kyverno.io/category: Tekton in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: TaskRun - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Restrict creation of TaskRun resources to the Tekton pipelines controller. -spec: - validationFailureAction: Audit - background: false - rules: - - name: check-taskrun-user - match: - any: - - resources: - kinds: - - TaskRun - operations: - - CREATE - - UPDATE - exclude: - any: - - subjects: - - kind: User - name: "system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" - validate: - cel: - expressions: - - expression: "false" - message: Creating a TaskRun is not allowed. - diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/bad-pipelinerun.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/bad-pipelinerun.yaml deleted file mode 100644 index cad412909..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/bad-pipelinerun.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - name: badpipelinerun01 -spec: - pipelineRef: - name: mypipeline ---- -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - name: badpipelinerun02 -spec: - pipelineSpec: - tasks: - - name: task1 - taskRef: - name: mytask \ No newline at end of file diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/bad-taskrun.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/bad-taskrun.yaml deleted file mode 100644 index 22ac6a221..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/bad-taskrun.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: TaskRun -metadata: - name: badtaskrun01 -spec: - taskRef: - name: read-task \ No newline at end of file diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 1ee775051..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: require-tekton-bundle -spec: - steps: - - name: step-00 - try: - - assert: - file: crd-taskrun-assert.yaml - - assert: - file: crd-pipelinerun-assert.yaml - - name: step-01 - try: - - apply: - file: ../require-tekton-bundle.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-tekton-bundle - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-taskrun.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-taskrun.yaml - - apply: - file: good-pipelinerun.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-pipelinerun.yaml diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/crd-pipelinerun-assert.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/crd-pipelinerun-assert.yaml deleted file mode 100755 index 81ab957e7..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/crd-pipelinerun-assert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: pipelineruns.tekton.dev -spec: {} -status: - acceptedNames: - kind: PipelineRun - plural: pipelineruns - singular: pipelinerun - storedVersions: - - v1 diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/crd-taskrun-assert.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/crd-taskrun-assert.yaml deleted file mode 100755 index 2934ff501..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/crd-taskrun-assert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: taskruns.tekton.dev -spec: {} -status: - acceptedNames: - kind: TaskRun - plural: taskruns - singular: taskrun - storedVersions: - - v1 diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/good-pipelinerun.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/good-pipelinerun.yaml deleted file mode 100644 index 21403752f..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/good-pipelinerun.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - name: goodpipelinerun01 -spec: - pipelineRef: - name: mypipeline - bundle: docker.io/foo/bar \ No newline at end of file diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/good-taskrun.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/good-taskrun.yaml deleted file mode 100644 index 51cc014b7..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/good-taskrun.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: TaskRun -metadata: - name: goodtaskrun01 -spec: - taskRef: - name: echo-task - bundle: docker.io/foo/bar \ No newline at end of file diff --git a/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml b/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 7def58fad..000000000 --- a/tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-tekton-bundle -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/tekton-cel/require-tekton-bundle/.kyverno-test/kyverno-test.yaml b/tekton-cel/require-tekton-bundle/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 5c6b040b6..000000000 --- a/tekton-cel/require-tekton-bundle/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-tekton-bundle -policies: -- ../require-tekton-bundle.yaml -resources: -- ../.chainsaw-test/bad-pipelinerun.yaml -- ../.chainsaw-test/bad-taskrun.yaml -- ../.chainsaw-test/good-pipelinerun.yaml -- ../.chainsaw-test/good-taskrun.yaml -results: -- policy: require-tekton-bundle - rule: check-bundle-pipelinerun - kind: PipelineRun - resources: - - badpipelinerun01 - - badpipelinerun02 - result: fail -- policy: require-tekton-bundle - rule: check-bundle-pipelinerun - kind: PipelineRun - resources: - - goodpipelinerun01 - result: pass -- policy: require-tekton-bundle - rule: check-bundle-taskrun - kind: TaskRun - resources: - - badtaskrun01 - result: fail -- policy: require-tekton-bundle - rule: check-bundle-taskrun - kind: TaskRun - resources: - - goodtaskrun01 - result: pass diff --git a/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml b/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml deleted file mode 100644 index 2c83e3067..000000000 --- a/tekton-cel/require-tekton-bundle/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: require-tekton-bundle-cel -version: 1.0.0 -displayName: Require Tekton Bundle in CEL expressions -description: >- - PipelineRun and TaskRun resources must be executed from a bundle -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml - ``` -keywords: - - kyverno - - Tekton - - CEL Expressions -readme: | - PipelineRun and TaskRun resources must be executed from a bundle - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Tekton in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "TaskRun, PipelineRun" -digest: d1031e87d2d3e9496022593cac502bd8382863247803e4bd06a1badbe782ae48 -createdAt: "2024-05-24T04:26:34Z" diff --git a/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml b/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml deleted file mode 100644 index 585c00efb..000000000 --- a/tekton-cel/require-tekton-bundle/require-tekton-bundle.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-tekton-bundle - annotations: - policies.kyverno.io/title: Require Tekton Bundle in CEL expressions - policies.kyverno.io/category: Tekton in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: TaskRun, PipelineRun - kyverno.io/kyverno-version: 1.11.0 - policies.kyverno.io/minversion: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - PipelineRun and TaskRun resources must be executed from a bundle -spec: - validationFailureAction: Audit - background: true - rules: - - name: check-bundle-pipelinerun - match: - any: - - resources: - kinds: - - PipelineRun - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: "object.spec.?pipelineRef.?bundle.orValue('') != ''" - message: "A bundle is required." - - name: check-bundle-taskrun - match: - any: - - resources: - kinds: - - TaskRun - validate: - cel: - expressions: - - expression: "object.spec.?taskRef.?bundle.orValue('') != ''" - message: "A bundle is required." - diff --git a/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 156082c75..ca24ce66c 100755 --- a/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: block-tekton-task-runs status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml b/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml index 71ec6a4f2..d81f338eb 100755 --- a/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml +++ b/tekton/block-tekton-task-runs/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: ../block-tekton-task-runs.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-tekton-task-runs - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../block-tekton-task-runs.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -33,3 +25,10 @@ spec: file: taskrun.yaml - apply: file: not-taskrun.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: block-tekton-task-runs diff --git a/tekton/block-tekton-task-runs/artifacthub-pkg.yml b/tekton/block-tekton-task-runs/artifacthub-pkg.yml index 2a2c6aa3a..c0f341deb 100644 --- a/tekton/block-tekton-task-runs/artifacthub-pkg.yml +++ b/tekton/block-tekton-task-runs/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "TaskRun" -digest: b81f44a6c23cb10349cf4064d04442ce0309521544b77730a0527251832d0b7d +digest: 08b6fe5c9990d02fb809bb5145c58a85c071ed1ae4ad1485dec7344290784390 diff --git a/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml b/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml index e4ca35903..4471a5f54 100644 --- a/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml +++ b/tekton/block-tekton-task-runs/block-tekton-task-runs.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- Restrict creation of TaskRun resources to the Tekton pipelines controller. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: check-taskrun-user diff --git a/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 7def58fad..fe3d051fb 100755 --- a/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-tekton-bundle status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml b/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml index c99cbf69a..a801e3c8a 100755 --- a/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml +++ b/tekton/require-tekton-bundle/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -14,16 +13,9 @@ spec: file: chainsaw-step-00-assert-2.yaml - name: step-01 try: - - apply: - file: ../require-tekton-bundle.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-tekton-bundle - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-tekton-bundle.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -42,3 +34,10 @@ spec: - check: ($error != null): true file: bad-pipelinerun.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-tekton-bundle diff --git a/tekton/require-tekton-bundle/.kyverno-test/kyverno-test.yaml b/tekton/require-tekton-bundle/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 5c6b040b6..000000000 --- a/tekton/require-tekton-bundle/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-tekton-bundle -policies: -- ../require-tekton-bundle.yaml -resources: -- ../.chainsaw-test/bad-pipelinerun.yaml -- ../.chainsaw-test/bad-taskrun.yaml -- ../.chainsaw-test/good-pipelinerun.yaml -- ../.chainsaw-test/good-taskrun.yaml -results: -- policy: require-tekton-bundle - rule: check-bundle-pipelinerun - kind: PipelineRun - resources: - - badpipelinerun01 - - badpipelinerun02 - result: fail -- policy: require-tekton-bundle - rule: check-bundle-pipelinerun - kind: PipelineRun - resources: - - goodpipelinerun01 - result: pass -- policy: require-tekton-bundle - rule: check-bundle-taskrun - kind: TaskRun - resources: - - badtaskrun01 - result: fail -- policy: require-tekton-bundle - rule: check-bundle-taskrun - kind: TaskRun - resources: - - goodtaskrun01 - result: pass diff --git a/tekton/require-tekton-bundle/artifacthub-pkg.yml b/tekton/require-tekton-bundle/artifacthub-pkg.yml index 67a0cb150..d7b4a9a21 100644 --- a/tekton/require-tekton-bundle/artifacthub-pkg.yml +++ b/tekton/require-tekton-bundle/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "TaskRun, PipelineRun" -digest: c400aeb9b0b39a27adac5e00b70aeff9f499ac307247a55d15e93ba81d69108d +digest: 2e136747af729cc2bb5d1c88ff51a2a0d5ec2209e64aa3a79920e52f9c6ab0da diff --git a/tekton/require-tekton-bundle/require-tekton-bundle.yaml b/tekton/require-tekton-bundle/require-tekton-bundle.yaml index b032593f1..cd7d2bcd8 100644 --- a/tekton/require-tekton-bundle/require-tekton-bundle.yaml +++ b/tekton/require-tekton-bundle/require-tekton-bundle.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- PipelineRun and TaskRun resources must be executed from a bundle spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-bundle-pipelinerun diff --git a/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 84a9f9ace..42c3f3219 100755 --- a/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: require-tekton-namespace-pipelinerun status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-test.yaml b/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-test.yaml index 064b0029f..8837e1657 100755 --- a/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-test.yaml +++ b/tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -14,16 +13,9 @@ spec: try: - apply: file: ns.yaml - - apply: - file: ../require-tekton-namespace-pipelinerun.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-tekton-namespace-pipelinerun - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-tekton-namespace-pipelinerun.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -35,3 +27,10 @@ spec: - check: ($error != null): true file: bad-pipelinerun.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-tekton-namespace-pipelinerun diff --git a/tekton/require-tekton-namespace-pipelinerun/.kyverno-test/kyverno-test.yaml b/tekton/require-tekton-namespace-pipelinerun/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 141034c08..000000000 --- a/tekton/require-tekton-namespace-pipelinerun/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-tekton-namespace-pipelinerun -policies: -- ../require-tekton-namespace-pipelinerun.yaml -resources: -- ../.chainsaw-test/bad-pipelinerun.yaml -- ../.chainsaw-test/good-pipelinerun.yaml -results: -- policy: require-tekton-namespace-pipelinerun - rule: check-pipelinerun-namespace - kind: PipelineRun - resources: - - badpipelinerun01 - result: fail -- policy: require-tekton-namespace-pipelinerun - rule: check-pipelinerun-namespace - kind: PipelineRun - resources: - - goodpipelinerun01 - result: pass diff --git a/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml b/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml index 7d34a53ca..30a45fae7 100644 --- a/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml +++ b/tekton/require-tekton-namespace-pipelinerun/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "PipelineRun" -digest: 68f1df141b035ffba5e5affa37a526a9cd1a3ddc6b3d356a9cac3b589d871672 +digest: e7c2137806f319b9be984090216e7f5bc7a0ea94180799ecdf46f13d0774c5bf diff --git a/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml b/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml index 71ac3231b..5ff282ecb 100644 --- a/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml +++ b/tekton/require-tekton-namespace-pipelinerun/require-tekton-namespace-pipelinerun.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- A Namespace is required for a PipelineRun and may not be set to `default`. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-pipelinerun-namespace diff --git a/tekton/require-tekton-securitycontext/artifacthub-pkg.yml b/tekton/require-tekton-securitycontext/artifacthub-pkg.yml index ebab9bec5..b4249f464 100644 --- a/tekton/require-tekton-securitycontext/artifacthub-pkg.yml +++ b/tekton/require-tekton-securitycontext/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "TaskRun" -digest: 37aa2c05b969ca2398bc4c52888560c4013a2f545809883b70be3baba0124e41 +digest: 829fa20172f49fa1cb37a3207517b328751ca06744c073f55863e154f5cccbc1 diff --git a/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml b/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml index 22321547b..c36a71f68 100644 --- a/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml +++ b/tekton/require-tekton-securitycontext/require-tekton-securitycontext.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- A securityContext is required for each TaskRun step. spec: - validationFailureAction: Audit + validationFailureAction: audit background: true rules: - name: check-step-securitycontext diff --git a/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml b/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml index 3c5033be6..e3f5cde55 100644 --- a/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml +++ b/tekton/verify-tekton-pipeline-bundle-signatures/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "PipelineRun" -digest: 21c240bef27349acb75f7c2cec962e82af3d0fa83697fe016de91cabab6510c3 +digest: acba55acc1c2d5d52296ae0d7ee592ffd76760a98c140fa83c02139b104f4901 diff --git a/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml b/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml index 2804ae881..95c4d68c4 100644 --- a/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml +++ b/tekton/verify-tekton-pipeline-bundle-signatures/verify-tekton-pipeline-bundle-signatures.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- A signed bundle is required spec: - validationFailureAction: Enforce + validationFailureAction: enforce webhookTimeoutSeconds: 30 rules: - name: check-signature diff --git a/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml b/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml index 38faf3ed7..2fa607cb8 100644 --- a/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml +++ b/tekton/verify-tekton-taskrun-signatures/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "TaskRun" -digest: 51735b052443aac5d798fa4368c3b60542bf39e43ab324e2868e023303df2c7a +digest: 61be170b85f21ddea8032bf685ad6da38b0b119108f6a628a6b3eb9136e411ae diff --git a/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml b/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml index 323f407d4..3defd9119 100644 --- a/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml +++ b/tekton/verify-tekton-taskrun-signatures/verify-tekton-taskrun-signatures.yaml @@ -13,7 +13,7 @@ metadata: policies.kyverno.io/description: >- A signed bundle is required. spec: - validationFailureAction: Audit + validationFailureAction: audit webhookTimeoutSeconds: 30 rules: - name: check-signature diff --git a/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml b/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml index 367f268ab..25ca986d3 100644 --- a/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml +++ b/tekton/verify-tekton-taskrun-vuln-scan/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Tekton" kyverno/kubernetesVersion: "1.23" kyverno/subject: "TaskRun" -digest: 81c27e22b753182ea158fbb2361e60c18ebcf2347d779b2d4a3027c3024f9d3e +digest: 542d74bd9fa89a22f22d4fdd4ac9b36b4b8f0fcfe46f98638d1a1be775a0dc1f diff --git a/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml b/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml index ac6d7a263..c1ee4b1ef 100644 --- a/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml +++ b/tekton/verify-tekton-taskrun-vuln-scan/verify-tekton-taskrun-vuln-scan.yaml @@ -14,7 +14,7 @@ metadata: A signed bundle is required and a vulnerability scan made by Grype must return no vulnerabilities greater than 8.0. spec: - validationFailureAction: Audit + validationFailureAction: audit webhookTimeoutSeconds: 30 rules: - name: check-signature diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 82d8a6f91..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,87 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: disallow-default-tlsoptions -spec: - steps: - - name: step-00 - try: - - assert: - file: crd-assert.yaml - - name: step-01 - try: - - apply: - file: ../disallow-default-tlsoptions.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-default-tlsoptions - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - script: - content: | - #!/bin/bash - set -eu - export USERNAME=tlsoptionsuser - export CA=ca.crt - #### Get CA certificate from kubeconfig assuming it's the first in the list. - kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt - #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. - CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" - #### Set CLUSTER from kubeconfig assuming it's the first in the list. - CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" - #### Generate private key - openssl genrsa -out $USERNAME.key 2048 - #### Create CSR - openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" - #### Send CSR to kube-apiserver for approval - cat < $USERNAME.crt - #### - #### Create the credential object and output the new kubeconfig file - kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs - #### Set the context - kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER - # Delete CSR - kubectl delete csr $USERNAME - - name: step-03 - try: - - apply: - file: cr.yaml - - apply: - file: crb.yaml - - name: step-04 - try: - - script: - content: if kubectl create --context=tlsoptionsuser-context -f tlsoption.yaml; - then exit 1; else exit 0; fi - - script: - content: kubectl create -f tlsoption.yaml - - name: step-99 - try: - - script: - content: | - kubectl delete -f tlsoption.yaml - kubectl config unset users.tlsoptionsuser - kubectl config unset contexts.tlsoptionsuser-context diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/cr.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/cr.yaml deleted file mode 100755 index 28edd3a9a..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/cr.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: tlsoptions-creator -rules: -- apiGroups: - - traefik.containo.us - resources: - - tlsoptions - verbs: - - create diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crb.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crb.yaml deleted file mode 100755 index ffcdb7691..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crb.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tlsoptions-creator:tlsoptionsuser -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tlsoptions-creator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: tlsoptionsuser diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crd-assert.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crd-assert.yaml deleted file mode 100755 index 086d560e0..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/crd-assert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us -spec: {} -status: - acceptedNames: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - storedVersions: - - v1alpha1 diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index b0025f795..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-default-tlsoptions -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml b/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml deleted file mode 100644 index c38aa643f..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.chainsaw-test/tlsoption.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: default -spec: - minVersion: VersionTLS12 - maxVersion: VersionTLS13 - curvePreferences: - - CurveP521 - - CurveP384 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_RSA_WITH_AES_256_GCM_SHA384 - clientAuth: - secretNames: - - secret-ca1 - - secret-ca2 - clientAuthType: VerifyClientCertIfGiven - sniStrict: true - alpnProtocols: - - foobar \ No newline at end of file diff --git a/traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml b/traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 445c7aaa5..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: disallow-default-tlsoptions -policies: -- ../disallow-default-tlsoptions.yaml -resources: -- resource.yaml -results: -- kind: TLSOption - policy: disallow-default-tlsoptions - resources: - - default - result: fail - rule: disallow-default-tlsoptions diff --git a/traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml b/traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml deleted file mode 100644 index b7de0f06a..000000000 --- a/traefik-cel/disallow-default-tlsoptions/.kyverno-test/resource.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: default - namespace: default -spec: - minVersion: VersionTLS12 - maxVersion: VersionTLS13 - curvePreferences: - - CurveP521 - - CurveP384 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_RSA_WITH_AES_256_GCM_SHA384 - clientAuth: - secretNames: - - secret-ca1 - - secret-ca2 - clientAuthType: VerifyClientCertIfGiven - sniStrict: true - alpnProtocols: - - foobar \ No newline at end of file diff --git a/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml b/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml deleted file mode 100644 index bc588570b..000000000 --- a/traefik-cel/disallow-default-tlsoptions/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: disallow-default-tlsoptions-cel -version: 1.0.0 -displayName: Disallow Default TLSOptions in CEL expressions -description: >- - The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml - ``` -keywords: - - kyverno - - Traefik - - CEL Expressions -readme: | - The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when none are specified in a TLS router. Since this can take effect for all Ingress resources, creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Traefik in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "TLSOption" -digest: ddb6b4d4f7a09720499c6ad306b4ee73999003d0fde7d2feb35cb6b19d0c73df -createdAt: "2024-05-22T07:43:46Z" diff --git a/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml b/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml deleted file mode 100644 index d09b5ad55..000000000 --- a/traefik-cel/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: disallow-default-tlsoptions - annotations: - policies.kyverno.io/title: Disallow Default TLSOptions in CEL expressions - policies.kyverno.io/category: Traefik in CEL - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: TLSOption - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - The TLSOption CustomResource sets cluster-wide TLS configuration options for Traefik when - none are specified in a TLS router. Since this can take effect for all Ingress resources, - creating the `default` TLSOption is a restricted operation. This policy ensures that - only a cluster-admin can create the `default` TLSOption resource. -spec: - validationFailureAction: Audit - background: false - rules: - - name: disallow-default-tlsoptions - match: - any: - - resources: - names: - - default - kinds: - - TLSOption - exclude: - clusterRoles: - - cluster-admin - validate: - cel: - expressions: - - expression: "false" - message: "Only cluster administrators are allowed to set default TLSOptions." - diff --git a/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml index b0025f795..f3e37c449 100755 --- a/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-default-tlsoptions status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml b/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml index 647f5fd21..4f3cf50d4 100755 --- a/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml +++ b/traefik/disallow-default-tlsoptions/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: ../disallow-default-tlsoptions.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: disallow-default-tlsoptions - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-default-tlsoptions.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -76,10 +68,19 @@ spec: - script: content: if kubectl create --context=tlsoptionsuser-context -f tlsoption.yaml; then exit 1; else exit 0; fi - - script: - content: kubectl create -f tlsoption.yaml + - command: + args: + - create + - -f + - tlsoption.yaml + entrypoint: kubectl - name: step-99 try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-default-tlsoptions - script: content: | kubectl delete -f tlsoption.yaml diff --git a/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml b/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml index 8f499ff9f..b517b015d 100644 --- a/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml +++ b/traefik/disallow-default-tlsoptions/artifacthub-pkg.yml @@ -19,4 +19,4 @@ annotations: kyverno/category: "Traefik" kyverno/kubernetesVersion: "1.21" kyverno/subject: "TLSOption" -digest: 000ee9b234050f94e9ba8352b94146f8a6bcf65b128b66858e3eb8c01ccc2661 +digest: 59fb6372a65f74a9857938fa4bd798b7a09f4ccc0514449c17ef61c735d24121 diff --git a/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml b/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml index a1166804f..b3bccd254 100644 --- a/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml +++ b/traefik/disallow-default-tlsoptions/disallow-default-tlsoptions.yaml @@ -15,7 +15,7 @@ metadata: creating the `default` TLSOption is a restricted operation. This policy ensures that only a cluster-admin can create the `default` TLSOption resource. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: disallow-default-tlsoptions diff --git a/velero-cel/block-velero-restore/.chainsaw-test/bad-restore.yaml b/velero-cel/block-velero-restore/.chainsaw-test/bad-restore.yaml deleted file mode 100644 index 84e3ec4e6..000000000 --- a/velero-cel/block-velero-restore/.chainsaw-test/bad-restore.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: badrestore01 -spec: - backupName: a-very-special-backup - namespaceMapping: - foo: kube-system ---- -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: badrestore02 -spec: - backupName: a-very-special-backup - includedNamespaces: - - '*' - excludedNamespaces: - - some-namespace - namespaceMapping: - foo: kube-node-lease \ No newline at end of file diff --git a/velero-cel/block-velero-restore/.chainsaw-test/chainsaw-test.yaml b/velero-cel/block-velero-restore/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index d63f10b09..000000000 --- a/velero-cel/block-velero-restore/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: block-velero-restore -spec: - steps: - - name: step-00 - try: - - assert: - file: crd-restore-assert.yaml - - name: step-01 - try: - - apply: - file: ../block-velero-restore.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-velero-restore - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-restore.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-restore.yaml diff --git a/velero-cel/block-velero-restore/.chainsaw-test/crd-restore-assert.yaml b/velero-cel/block-velero-restore/.chainsaw-test/crd-restore-assert.yaml deleted file mode 100755 index 37aa83b76..000000000 --- a/velero-cel/block-velero-restore/.chainsaw-test/crd-restore-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: restores.velero.io -spec: {} -status: - acceptedNames: - kind: Restore - listKind: RestoreList - plural: restores - singular: restore - storedVersions: - - v1 diff --git a/velero-cel/block-velero-restore/.chainsaw-test/good-restore.yaml b/velero-cel/block-velero-restore/.chainsaw-test/good-restore.yaml deleted file mode 100644 index 43052e805..000000000 --- a/velero-cel/block-velero-restore/.chainsaw-test/good-restore.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: goodrestore01 -spec: - backupName: a-very-special-backup - namespaceMapping: - foo: bar ---- -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: goodrestore02 -spec: - backupName: a-very-special-backup - includedNamespaces: - - '*' - excludedNamespaces: - - some-namespace ---- -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: goodrestore03 -spec: - backupName: a-very-special-backup - namespaceMapping: - kube-system: bar \ No newline at end of file diff --git a/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml b/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 2cdf18026..000000000 --- a/velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: block-velero-restore -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/velero-cel/block-velero-restore/.kyverno-test/kyverno-test.yaml b/velero-cel/block-velero-restore/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 64ab3c92a..000000000 --- a/velero-cel/block-velero-restore/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: block-velero-restore -policies: -- ../block-velero-restore.yaml -resources: -- resource.yaml -results: -- kind: Restore - policy: block-velero-restore - resources: - - badrestore01 - result: fail - rule: block-velero-restore-to-protected-namespace -- kind: Restore - policy: block-velero-restore - resources: - - restore-without-namespace-mapping - - goodrestore01 - result: pass - rule: block-velero-restore-to-protected-namespace diff --git a/velero-cel/block-velero-restore/.kyverno-test/resource.yaml b/velero-cel/block-velero-restore/.kyverno-test/resource.yaml deleted file mode 100644 index 9a7a09120..000000000 --- a/velero-cel/block-velero-restore/.kyverno-test/resource.yaml +++ /dev/null @@ -1,52 +0,0 @@ -####################################################### -## Rule: block-velero-restore-to-protected-namespace ## -####################################################### -###### Restore - Bad ---- -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: badrestore01 - namespace: velero -spec: - backupName: my-backup - includedResources: - - '*' - namespaceMapping: - default: kube-system -restorePVs: true ---- -###### Restore - Good -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: restore-without-namespace-mapping - namespace: velero -spec: - backupName: my-backup - excludedResources: - - nodes - - events - - events.events.k8s.io - - backups.velero.io - - restores.velero.io - - resticrepositories.velero.io - - csinodes.storage.k8s.io - - volumeattachments.storage.k8s.io - - backuprepositories.velero.io - includedNamespaces: - - '*' ---- -apiVersion: velero.io/v1 -kind: Restore -metadata: - name: goodrestore01 - namespace: velero -spec: - backupName: my-backup - includedResources: - - '*' - namespaceMapping: - default: ingress-nginx -restorePVs: true ---- diff --git a/velero-cel/block-velero-restore/artifacthub-pkg.yml b/velero-cel/block-velero-restore/artifacthub-pkg.yml deleted file mode 100644 index 31d9b5ce7..000000000 --- a/velero-cel/block-velero-restore/artifacthub-pkg.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: block-velero-restore-cel -version: 1.0.0 -displayName: Block Velero Restore in CEL expressions -description: >- - Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions. - It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B. - This policy protect restore operation into system or any protected namespaces, listed in deny condition section. - It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace - then operation fails and warning message is throw. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero-cel/block-velero-restore/block-velero-restore.yaml - ``` -keywords: - - velero - - kyverno - - CEL Expressions -readme: | - Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions. - It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B. - This policy protect restore operation into system or any protected namespaces, listed in deny condition section. - It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace - then operation fails and warning message is throw. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Velero in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Restore" -digest: 375151c611cea4a9da84b11a69c580498e0688db59bddf056770ba416df8982e -createdAt: "2024-05-23T17:20:18Z" diff --git a/velero-cel/block-velero-restore/block-velero-restore.yaml b/velero-cel/block-velero-restore/block-velero-restore.yaml deleted file mode 100644 index e1dd8aeb9..000000000 --- a/velero-cel/block-velero-restore/block-velero-restore.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: block-velero-restore - annotations: - policies.kyverno.io/title: Block Velero Restore to Protected Namespace in CEL expressions - policies.kyverno.io/category: Velero in CEL - policies.kyverno.io/subject: Restore - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - Velero allows on backup and restore operations and is designed to be run with full cluster admin permissions. - It allows on cross namespace restore operations, which means you can restore backup of namespace A to namespace B. - This policy protect restore operation into system or any protected namespaces, listed in deny condition section. - It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace - then operation fails and warning message is throw. -spec: - validationFailureAction: Audit - background: false - rules: - - name: block-velero-restore-to-protected-namespace - match: - any: - - resources: - kinds: - - velero.io/v1/Restore - operations: - - CREATE - - UPDATE - validate: - cel: - variables: - - name: namespaceMappingValues - expression: "has(object.spec.namespaceMapping) ? object.spec.namespaceMapping.map(nsmap, object.spec.namespaceMapping[nsmap]) : []" - expressions: - - expression: "!variables.namespaceMappingValues.exists(val, val in ['kube-system', 'kube-node-lease'])" - messageExpression: "'Warning! Restore to protected namespace: ' + variables.namespaceMappingValues.join(', ') + ' is not allowed!'" - diff --git a/velero-cel/validate-cron-schedule/.chainsaw-test/bad-schedule.yaml b/velero-cel/validate-cron-schedule/.chainsaw-test/bad-schedule.yaml deleted file mode 100644 index e08e5d4d9..000000000 --- a/velero-cel/validate-cron-schedule/.chainsaw-test/bad-schedule.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: badschedule01 -spec: - schedule: 0 7 * * * * - template: - includedNamespaces: - - 'default' ---- -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: badschedule02 -spec: - schedule: 0 7 * */ * - template: - includedNamespaces: - - 'default' diff --git a/velero-cel/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml b/velero-cel/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index a4df56dcc..000000000 --- a/velero-cel/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: validate-cron-schedule -spec: - steps: - - name: step-00 - try: - - assert: - file: crd-schedule-assert.yaml - - name: step-01 - try: - - apply: - file: ../validate-cron-schedule.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: validate-cron-schedule - spec: - validationFailureAction: Enforce - - assert: - file: policy-ready.yaml - - name: step-02 - try: - - apply: - file: good-schedule.yaml - - apply: - expect: - - check: - ($error != null): true - file: bad-schedule.yaml diff --git a/velero-cel/validate-cron-schedule/.chainsaw-test/crd-schedule-assert.yaml b/velero-cel/validate-cron-schedule/.chainsaw-test/crd-schedule-assert.yaml deleted file mode 100755 index 9b0937ad9..000000000 --- a/velero-cel/validate-cron-schedule/.chainsaw-test/crd-schedule-assert.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: schedules.velero.io -spec: {} -status: - acceptedNames: - kind: Schedule - listKind: ScheduleList - plural: schedules - singular: schedule - storedVersions: - - v1 diff --git a/velero-cel/validate-cron-schedule/.chainsaw-test/good-schedule.yaml b/velero-cel/validate-cron-schedule/.chainsaw-test/good-schedule.yaml deleted file mode 100644 index 41e2f4914..000000000 --- a/velero-cel/validate-cron-schedule/.chainsaw-test/good-schedule.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: goodsched01 -spec: - schedule: 0 7 * * * - template: - includedNamespaces: - - '*' - excludedNamespaces: - - some-namespace \ No newline at end of file diff --git a/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml b/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml deleted file mode 100755 index 26087f9ce..000000000 --- a/velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-cron-schedule -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/velero-cel/validate-cron-schedule/.kyverno-test/kyverno-test.yaml b/velero-cel/validate-cron-schedule/.kyverno-test/kyverno-test.yaml deleted file mode 100644 index 942f49cd4..000000000 --- a/velero-cel/validate-cron-schedule/.kyverno-test/kyverno-test.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: validate-cron-schedule -policies: -- ../validate-cron-schedule.yaml -resources: -- resources.yaml -results: -- kind: Schedule - policy: validate-cron-schedule - resources: - - badschedule01 - result: fail - rule: validate-cron -- kind: Schedule - policy: validate-cron-schedule - resources: - - goodschedule01 - result: pass - rule: validate-cron diff --git a/velero-cel/validate-cron-schedule/.kyverno-test/resources.yaml b/velero-cel/validate-cron-schedule/.kyverno-test/resources.yaml deleted file mode 100644 index dd6a0bee1..000000000 --- a/velero-cel/validate-cron-schedule/.kyverno-test/resources.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: goodschedule01 -spec: - schedule: 0 7 * * * - template: - includedNamespaces: - - 'default' ---- -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: badschedule01 -spec: - schedule: 0 7 * * * * - template: - includedNamespaces: - - 'default' diff --git a/velero-cel/validate-cron-schedule/artifacthub-pkg.yml b/velero-cel/validate-cron-schedule/artifacthub-pkg.yml deleted file mode 100644 index 0a495f085..000000000 --- a/velero-cel/validate-cron-schedule/artifacthub-pkg.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: validate-cron-schedule-cel -version: 1.0.0 -displayName: Validate Cron Schedule in CEL expressions -description: >- - A Velero Schedule is given in Cron format and must be accurate to ensure - operation. This policy validates that the schedule is a valid Cron format. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/velero-cel/validate-cron-schedule/validate-cron-schedule.yaml - ``` -keywords: - - velero - - kyverno - - CEL Expressions -readme: | - A Velero Schedule is given in Cron format and must be accurate to ensure - operation. This policy validates that the schedule is a valid Cron format. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Velero in CEL" - kyverno/kubernetesVersion: "1.26-1.27" - kyverno/subject: "Schedule" -digest: a42222eee403614bcd88071eb5a6cdf15630cb27e0e03ea318511f359b63d899 -createdAt: "2024-05-23T17:34:19Z" diff --git a/velero-cel/validate-cron-schedule/validate-cron-schedule.yaml b/velero-cel/validate-cron-schedule/validate-cron-schedule.yaml deleted file mode 100644 index 86f135f8b..000000000 --- a/velero-cel/validate-cron-schedule/validate-cron-schedule.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: validate-cron-schedule - annotations: - policies.kyverno.io/title: Validate Schedule in CEL expressions - policies.kyverno.io/category: Velero in CEL - policies.kyverno.io/subject: Schedule - kyverno.io/kyverno-version: 1.11.0 - kyverno.io/kubernetes-version: "1.26-1.27" - policies.kyverno.io/description: >- - A Velero Schedule is given in Cron format and must be accurate to ensure - operation. This policy validates that the schedule is a valid Cron format. -spec: - background: true - validationFailureAction: Audit - rules: - - name: validate-cron - match: - any: - - resources: - kinds: - - velero.io/v1/Schedule - operations: - - CREATE - - UPDATE - validate: - cel: - expressions: - - expression: >- - object.spec.schedule.matches('^((?:\\*|[0-5]?[0-9](?:(?:-[0-5]?[0-9])|(?:,[0-5]?[0-9])+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:1?[0-9]|2[0-3])(?:(?:-(?:1?[0-9]|2[0-3]))|(?:,(?:1?[0-9]|2[0-3]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:[1-9]|[1-2][0-9]|3[0-1])(?:(?:-(?:[1-9]|[1-2][0-9]|3[0-1]))|(?:,(?:[1-9]|[1-2][0-9]|3[0-1]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|(?:[1-9]|1[0-2])(?:(?:-(?:[1-9]|1[0-2]))|(?:,(?:[1-9]|1[0-2]))+)?)(?:\\/[0-9]+)?)\\s+((?:\\*|[0-7](?:-[0-7]|(?:,[0-7])+)?)(?:\\/[0-9]+)?)$') - message: The backup schedule must be in a valid cron format. - diff --git a/velero/backup-all-volumes/.chainsaw-test/chainsaw-test.yaml b/velero/backup-all-volumes/.chainsaw-test/chainsaw-test.yaml index dfe3b6517..bcf9def8f 100755 --- a/velero/backup-all-volumes/.chainsaw-test/chainsaw-test.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: diff --git a/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml b/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml index 07b85e3a4..697870a71 100644 --- a/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/cronjob-patched.yaml @@ -21,7 +21,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage \ No newline at end of file diff --git a/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml b/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml index 88cc7db57..6f887de82 100644 --- a/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/deploy-patched.yaml @@ -23,7 +23,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage \ No newline at end of file diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml index c6f54c11d..c9df04160 100644 --- a/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/pod-not-patched02.yaml @@ -12,7 +12,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage \ No newline at end of file diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml index 08c546bdf..cca70b10d 100644 --- a/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/pod-patched01.yaml @@ -14,7 +14,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage \ No newline at end of file diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml index 2273f38b4..2ebbc8a62 100644 --- a/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/pod-patched03.yaml @@ -17,7 +17,7 @@ spec: claimName: external containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage diff --git a/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml b/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml index f8e79378f..e5e9b742a 100644 --- a/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/pod-patched04.yaml @@ -17,7 +17,7 @@ spec: emptyDir: {} containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage diff --git a/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml b/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml index ecb8da406..6a8db11a6 100644 --- a/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/podcontroller.yaml @@ -22,7 +22,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage @@ -49,7 +49,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage \ No newline at end of file diff --git a/velero/backup-all-volumes/.chainsaw-test/pods.yaml b/velero/backup-all-volumes/.chainsaw-test/pods.yaml index 2ce6a580a..eb6b906ca 100644 --- a/velero/backup-all-volumes/.chainsaw-test/pods.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/pods.yaml @@ -13,7 +13,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage @@ -31,7 +31,7 @@ spec: claimName: mypvc containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage @@ -54,7 +54,7 @@ spec: claimName: external containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage @@ -79,7 +79,7 @@ spec: emptyDir: {} containers: - name: container01 - image: ghcr.io/kyverno/test-busybox:1.35 + image: busybox:1.35 volumeMounts: - mountPath: "/usr/share/nginx/html" name: task-pv-storage diff --git a/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml b/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml index 00b968680..b8ce12303 100644 --- a/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml +++ b/velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: backup-all-volumes status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 2cdf18026..df978e12d 100755 --- a/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/velero/block-velero-restore/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: block-velero-restore status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/velero/block-velero-restore/.chainsaw-test/chainsaw-test.yaml b/velero/block-velero-restore/.chainsaw-test/chainsaw-test.yaml index e0d354830..1ce6ed8c7 100755 --- a/velero/block-velero-restore/.chainsaw-test/chainsaw-test.yaml +++ b/velero/block-velero-restore/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: ../block-velero-restore.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: block-velero-restore - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../block-velero-restore.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -33,3 +25,10 @@ spec: - check: ($error != null): true file: bad-restore.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: block-velero-restore diff --git a/velero/block-velero-restore/artifacthub-pkg.yml b/velero/block-velero-restore/artifacthub-pkg.yml index 94151db98..f4b815f13 100644 --- a/velero/block-velero-restore/artifacthub-pkg.yml +++ b/velero/block-velero-restore/artifacthub-pkg.yml @@ -28,4 +28,4 @@ annotations: kyverno/category: "Velero" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Restore" -digest: a65832197cee441d134ff4ce6379639d8e4f4ae2ddb0ce3b4d91d57f1fb5960f +digest: 8dc53eeed16dfae126f70003803e7f14a7373f202e01398a785b8f2747b3d2f9 diff --git a/velero/block-velero-restore/block-velero-restore.yaml b/velero/block-velero-restore/block-velero-restore.yaml index 12a679e9c..25e516871 100644 --- a/velero/block-velero-restore/block-velero-restore.yaml +++ b/velero/block-velero-restore/block-velero-restore.yaml @@ -13,7 +13,7 @@ metadata: It checks the Restore CRD object and its namespaceMapping field. If destination match protected namespace then operation fails and warning message is throw. spec: - validationFailureAction: Audit + validationFailureAction: audit background: false rules: - name: block-velero-restore-to-protected-namespace diff --git a/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 26087f9ce..11afe59c1 100755 --- a/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/velero/validate-cron-schedule/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,8 +3,4 @@ kind: ClusterPolicy metadata: name: validate-cron-schedule status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - + ready: true diff --git a/velero/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml b/velero/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml index 896e281c3..e31cb9f91 100755 --- a/velero/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml +++ b/velero/validate-cron-schedule/.chainsaw-test/chainsaw-test.yaml @@ -1,4 +1,3 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -12,16 +11,9 @@ spec: file: chainsaw-step-00-assert-1.yaml - name: step-01 try: - - apply: - file: ../validate-cron-schedule.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: validate-cron-schedule - spec: - validationFailureAction: Enforce + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../validate-cron-schedule.yaml | kubectl create -f - - assert: file: chainsaw-step-01-assert-1.yaml - name: step-02 @@ -33,3 +25,10 @@ spec: - check: ($error != null): true file: bad-schedule.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: validate-cron-schedule diff --git a/velero/validate-cron-schedule/artifacthub-pkg.yml b/velero/validate-cron-schedule/artifacthub-pkg.yml index 0dc049d09..077c12914 100644 --- a/velero/validate-cron-schedule/artifacthub-pkg.yml +++ b/velero/validate-cron-schedule/artifacthub-pkg.yml @@ -22,4 +22,4 @@ annotations: kyverno/category: "Velero" kyverno/kubernetesVersion: "1.25" kyverno/subject: "Schedule" -digest: d8c1924e3db7b25ae27aa8c2bd6b78b5b56d68653ef9bcdf28aaea308319667a +digest: 68d90c2a50f1f633d184a82ffb9f8713f64100b2d95ae79e11969cba88cf46ae diff --git a/velero/validate-cron-schedule/validate-cron-schedule.yaml b/velero/validate-cron-schedule/validate-cron-schedule.yaml index 08fbf3ae3..ed8098cc1 100644 --- a/velero/validate-cron-schedule/validate-cron-schedule.yaml +++ b/velero/validate-cron-schedule/validate-cron-schedule.yaml @@ -11,7 +11,7 @@ metadata: operation. This policy validates that the schedule is a valid Cron format. spec: background: true - validationFailureAction: Audit + validationFailureAction: audit rules: - name: validate-cron match: diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml deleted file mode 100755 index 9815bd06a..000000000 --- a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-containeruser -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready - diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml deleted file mode 100755 index 93d87ea58..000000000 --- a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-run-as-containeruser -spec: - steps: - - name: step-01 - try: - - apply: - file: ../require-run-as-containeruser.yaml - - patch: - resource: - apiVersion: kyverno.io/v1 - kind: ClusterPolicy - metadata: - name: require-run-as-containeruser - spec: - validationFailureAction: Enforce - - assert: - file: chainsaw-step-01-assert-1.yaml - - name: step-02 - try: - - apply: - file: pod-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: pod-bad.yaml - - apply: - file: podcontroller-good.yaml - - apply: - expect: - - check: - ($error != null): true - file: podcontroller-bad.yaml diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml deleted file mode 100644 index bbade42c8..000000000 --- a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-windows-pod -spec: - nodeSelector: - kubernetes.io/arch: amd64 - kubernetes.io/os: windows - securityContext: - windowsOptions: - hostProcess: true - runAsUserName: "NT AUTHORITY\\Local service" - hostNetwork: true - containers: - - name: windows-container - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml deleted file mode 100644 index 75c040c16..000000000 --- a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-windows-pod -spec: - nodeSelector: - kubernetes.io/arch: amd64 - kubernetes.io/os: windows - securityContext: - runAsNonRoot: true - windowsOptions: - hostProcess: false - runAsUserName: "ContainerUser" - hostNetwork: false - containers: - - name: windows-container - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml deleted file mode 100644 index 97b454eaa..000000000 --- a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bad-windows-deployment -spec: - replicas: 1 - selector: - matchLabels: - app: windows-app - template: - metadata: - labels: - app: windows-app - spec: - nodeSelector: - kubernetes.io/arch: amd64 - kubernetes.io/os: windows - securityContext: - windowsOptions: - hostProcess: true - runAsUserName: "NT AUTHORITY\\Local service" - hostNetwork: true - containers: - - name: windows-container - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml deleted file mode 100644 index 5d8bbf602..000000000 --- a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: good-windows-deployment -spec: - replicas: 1 - selector: - matchLabels: - app: windows-app - template: - metadata: - labels: - app: windows-app - spec: - nodeSelector: - kubernetes.io/arch: amd64 - kubernetes.io/os: windows - securityContext: - runAsNonRoot: true - windowsOptions: - hostProcess: false - runAsUserName: "ContainerUser" - hostNetwork: false - containers: - - name: windows-container - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/artifacthub-pkg.yml b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml deleted file mode 100644 index 9d6107379..000000000 --- a/windows-security/require-run-as-containeruser/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: require-run-as-containeruser -version: 1.0.0 -displayName: Require runAsContainerUser (Windows) -createdAt: "2024-05-21T09:05:16.000Z" -description: >- - Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[*].securityContext.windowsOptions.runAsUserName, spec.initContainers[*].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser. - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml - ``` -keywords: - - kyverno - - Windows Security -readme: | - Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[*].securityContext.windowsOptions.runAsUserName, spec.initContainers[*].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Windows Security" - kyverno/kubernetesVersion: "1.22-1.28" - kyverno/subject: "Pod" -digest: 78c7a47122dd89c1289514d16fe3d1a55be44e649ed04fbb9106de02633fa51e diff --git a/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml deleted file mode 100644 index 2e26f9a00..000000000 --- a/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-run-as-containeruser - annotations: - policies.kyverno.io/title: Require Run As ContainerUser (Windows) - policies.kyverno.io/category: Windows Security - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 - kyverno.io/kubernetes-version: "1.22-1.28" - policies.kyverno.io/description: >- - Containers must be required to run as ContainerUser. This policy ensures that the fields - spec.securityContext.windowsOptions.runAsUserName, - spec.containers[*].securityContext.windowsOptions.runAsUserName, - spec.initContainers[*].securityContext.windowsOptions.runAsUserName, - and is either unset or set to ContainerUser. -spec: - validationFailureAction: Audit - background: true - rules: - - name: require-run-as-containeruser - match: - any: - - resources: - kinds: - - Pod - validate: - message: >- - Running the container as ContainerAdministrator,NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE is not allowed. - pattern: - spec: - =(securityContext): - =(windowsOptions): - =(runAsUserName): "ContainerUser" - =(initContainers): - - =(securityContext): - =(windowsOptions): - =(runAsUserName): "ContainerUser" - containers: - - =(securityContext): - =(windowsOptions): - =(runAsUserName): "ContainerUser"